rfc9528.original.xml   rfc9528.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.39 (Ruby 3.0. <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
2) --> -ietf-lake-edhoc-23" number="9528" submissionType="IETF" category="std" consensu
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft s="true" tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" updates="
-ietf-lake-edhoc-22" category="std" consensus="true" submissionType="IETF" tocDe " obsoletes="" xml:lang="en" version="3">
pth="2" tocInclude="true" sortRefs="true" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.18.0 --> <!-- xml2rfc v2v3 conversion 3.18.0 -->
<front> <front>
<title abbrev="EDHOC">Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> <title abbrev="EDHOC">Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-22"/> <seriesInfo name="RFC" value="9528"/>
<author initials="G." surname="Selander" fullname="Göran Selander"> <author initials="G." surname="Selander" fullname="Göran Selander">
<organization abbrev="Ericsson">Ericsson AB</organization> <organization abbrev="Ericsson">Ericsson AB</organization>
<address> <address>
<postal> <postal>
<street>SE-164 80 Stockholm</street> <code>164 80</code>
<city>Stockholm</city>
<country>Sweden</country> <country>Sweden</country>
</postal> </postal>
<email>goran.selander@ericsson.com</email> <email>goran.selander@ericsson.com</email>
</address> </address>
</author> </author>
<author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson" > <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson" >
<organization abbrev="Ericsson">Ericsson AB</organization> <organization abbrev="Ericsson">Ericsson AB</organization>
<address> <address>
<postal> <postal>
<street>SE-164 80 Stockholm</street> <code>164 80 </code>
<city>Stockholm</city>
<country>Sweden</country> <country>Sweden</country>
</postal> </postal>
<email>john.mattsson@ericsson.com</email> <email>john.mattsson@ericsson.com</email>
</address> </address>
</author> </author>
<author initials="F." surname="Palombini" fullname="Francesca Palombini"> <author initials="F." surname="Palombini" fullname="Francesca Palombini">
<organization abbrev="Ericsson">Ericsson AB</organization> <organization abbrev="Ericsson">Ericsson AB</organization>
<address> <address>
<postal> <postal>
<street>SE-164 80 Stockholm</street> <code>164 80 </code>
<city>Stockholm</city>
<country>Sweden</country> <country>Sweden</country>
</postal> </postal>
<email>francesca.palombini@ericsson.com</email> <email>francesca.palombini@ericsson.com</email>
</address> </address>
</author> </author>
<date year="2023" month="August" day="25"/> <date year="2024" month="March"/>
<area>SEC</area> <area>sec</area>
<workgroup>LAKE Working Group</workgroup> <workgroup>lake</workgroup>
<keyword>AKE</keyword>
<keyword>LAKE</keyword>
<keyword>COSE</keyword>
<keyword>OSCORE</keyword>
<keyword>lightweight authenticated key exchange</keyword>
<keyword>constrained node networks</keyword>
<keyword>IoT security</keyword>
<abstract> <abstract>
<?line 278?>
<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very co mpact and lightweight authenticated Diffie-Hellman key exchange with ephemeral k eys. EDHOC provides mutual authentication, forward secrecy, and identity protect ion. EDHOC is intended for usage in constrained scenarios and a main use case is to establish an OSCORE security context. By reusing COSE for cryptography, CBOR for encoding, and CoAP for transport, the additional code size can be kept very low.</t> <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very co mpact and lightweight authenticated Diffie-Hellman key exchange with ephemeral k eys. EDHOC provides mutual authentication, forward secrecy, and identity protect ion. EDHOC is intended for usage in constrained scenarios, and a main use case i s to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for crypt ography, Concise Binary Object Representation (CBOR) for encoding, and Constrain ed Application Protocol (CoAP) for transport, the additional code size can be ke pt very low.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<?line 282?> <?line 282?>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<section anchor="motivation"> <section anchor="motivation">
<name>Motivation</name> <name>Motivation</name>
<t>Many Internet of Things (IoT) deployments require technologies which <t>Many Internet of Things (IoT) deployments require technologies that a
are highly performant in constrained environments <xref target="RFC7228"/>. IoT re highly performant in constrained environments <xref target="RFC7228"/>. IoT d
devices may be constrained in various ways, including memory, storage, processin evices may be constrained in various ways, including memory, storage, processing
g capacity, and power. The connectivity for these settings may also exhibit cons capacity, and power. The connectivity for these settings may also exhibit const
traints such as unreliable and lossy channels, highly restricted bandwidth, and raints, such as unreliable and lossy channels, highly restricted bandwidth, and
dynamic topology. The IETF has acknowledged this problem by standardizing a rang dynamic topology. The IETF has acknowledged this problem by standardizing a rang
e of lightweight protocols and enablers designed for the IoT, including the Cons e of lightweight protocols and enablers designed for the IoT, including CoAP <xr
trained Application Protocol (CoAP, <xref target="RFC7252"/>), Concise Binary Ob ef target="RFC7252"/>, CBOR <xref target="RFC8949"/>, and Static Context Header
ject Representation (CBOR, <xref target="RFC8949"/>), and Static Context Header Compression (SCHC) <xref target="RFC8724"/>.</t>
Compression (SCHC, <xref target="RFC8724"/>).</t> <t>The need for special protocols targeting constrained IoT deployments
<t>The need for special protocols targeting constrained IoT deployments extends also to the security domain <xref target="I-D.ietf-lake-reqs"/>. Importa
extends also to the security domain <xref target="I-D.ietf-lake-reqs"/>. Importa nt characteristics in constrained environments are the number of round trips and
nt characteristics in constrained environments are the number of round trips and protocol message sizes, which (if kept low) can contribute to good performance
protocol message sizes, which if kept low can contribute to good performance by by enabling transport over a small number of radio frames, reducing latency due
enabling transport over a small number of radio frames, reducing latency due to to fragmentation, duty cycles, etc. Another important criterion is code size, wh
fragmentation or duty cycles, etc. Another important criterion is code size, wh ich may be prohibitively large for certain deployments due to device capabilitie
ich may be prohibitively large for certain deployments due to device capabilitie s or network load during firmware updates. Some IoT deployments also need to sup
s or network load during firmware update. Some IoT deployments also need to supp port a variety of underlying transport technologies, potentially even with a sin
ort a variety of underlying transport technologies, potentially even with a sing gle connection.</t>
le connection.</t> <t>Some security solutions for such settings exist already. COSE <xref t
<t>Some security solutions for such settings exist already. CBOR Object arget="RFC9052"/> specifies basic application-layer security services efficientl
Signing and Encryption (COSE, <xref target="RFC9052"/>) specifies basic applicat y encoded in CBOR. Another example is OSCORE <xref target="RFC8613"/>, which is
ion-layer security services efficiently encoded in CBOR. Another example is Obje a lightweight communication security extension to CoAP using CBOR and COSE. In
ct Security for Constrained RESTful Environments (OSCORE, <xref target="RFC8613" order to establish good quality cryptographic keys for security protocols such a
/>) which is a lightweight communication security extension to CoAP using CBOR a s COSE and OSCORE, the two endpoints may run an authenticated Diffie-Hellman key
nd COSE. In order to establish good quality cryptographic keys for security prot exchange protocol, from which shared secret keying material can be derived. Suc
ocols such as COSE and OSCORE, the two endpoints may run an authenticated Diffie h a key exchange protocol should also be lightweight to prevent bad performance
-Hellman key exchange protocol, from which shared secret keying material can be in case of repeated use, e.g., due to device rebooting or frequent rekeying for
derived. Such a key exchange protocol should also be lightweight; to prevent bad security reasons or to avoid latencies in a network formation setting with many
performance in case of repeated use, e.g., due to device rebooting or frequent devices authenticating at the same time.</t>
rekeying for security reasons; or to avoid latencies in a network formation sett <t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a
ing with many devices authenticating at the same time.</t> lightweight authenticated key exchange protocol providing good security propert
<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a ies including forward secrecy, identity protection, and cipher suite negotiation
lightweight authenticated key exchange protocol providing good security propert . Authentication can be based on raw public keys (RPKs) or public key certificat
ies including forward secrecy, identity protection, and cipher suite negotiation es and requires the application to provide input on how to verify that endpoints
. Authentication can be based on raw public keys (RPK) or public key certificate are trusted. This specification supports the referencing of credentials in orde
s and requires the application to provide input on how to verify that endpoints r to reduce message overhead, but credentials may alternatively be embedded in t
are trusted. This specification supports the referencing of credentials in order he messages.
to reduce message overhead, but credentials may alternatively be embedded in th EDHOC does not currently support Pre-Shared Key (PSK) authentication as authenti
e messages. cation with static Diffie-Hellman (DH) public keys by reference produces equally
EDHOC does not currently support pre-shared key (PSK) authentication as authenti small message sizes but with much simpler key distribution and identity protect
cation with static Diffie-Hellman public keys by reference produces equally smal ion.</t>
l message sizes but with much simpler key distribution and identity protection.< <t>EDHOC makes use of known protocol constructions, such as SIGn-and-MAc
/t> <xref target="SIGMA"/>, the Noise XX pattern <xref target="Noise"/>, and Extrac
<t>EDHOC makes use of known protocol constructions, such as SIGMA <xref t-and-Expand <xref target="RFC5869"/>. EDHOC uses COSE for cryptography and iden
target="SIGMA"/>, the Noise XX pattern <xref target="Noise"/>, and Extract-and-E tification of credentials (including COSE_Key, CBOR Web Token (CWT), CWT Claims
xpand <xref target="RFC5869"/>. EDHOC uses COSE for cryptography and identificat Set (CCS), X.509, and CBOR-encoded X.509 (C509) certificates; see <xref target="
ion of credentials (including COSE_Key, CBOR Web Token (CWT), CWT Claims Set (CC auth-cred"/>). COSE provides crypto agility and enables the use of future algori
S), X.509, and CBOR encoded X.509 (C509) certificates, see <xref target="auth-cr thms and credential types targeting IoT.</t>
ed"/>). COSE provides crypto agility and enables the use of future algorithms an <t>EDHOC is designed for highly constrained settings, making it especial
d credential types targeting IoT.</t> ly suitable for low-power networks <xref target="RFC8376"/> such as Cellular IoT
<t>EDHOC is designed for highly constrained settings making it especiall , IPv6 over the TSCH mode of IEEE 802.15.4e (6TiSCH), and LoRaWAN. A main object
y suitable for low-power networks <xref target="RFC8376"/> such as Cellular IoT, ive for EDHOC is to be a lightweight authenticated key exchange for OSCORE, i.e.
6TiSCH, and LoRaWAN. A main objective for EDHOC is to be a lightweight authenti , to provide authentication and session key establishment for IoT use cases such
cated key exchange for OSCORE, i.e., to provide authentication and session key e as those built on CoAP <xref target="RFC7252"/> involving 'things' with embedde
stablishment for IoT use cases such as those built on CoAP <xref target="RFC7252 d microcontrollers, sensors, and actuators. By reusing the same lightweight prim
"/> involving 'things' with embedded microcontrollers, sensors, and actuators. B itives as OSCORE (CBOR, COSE, and CoAP), the additional code size can be kept ve
y reusing the same lightweight primitives as OSCORE (CBOR, COSE, CoAP) the addit ry low. Note that while CBOR and COSE primitives are built into the protocol mes
ional code size can be kept very low. Note that while CBOR and COSE primitives a sages, EDHOC is not bound to a particular transport.</t>
re built into the protocol messages, EDHOC is not bound to a particular transpor <t>A typical setting is when one of the endpoints is constrained or in a
t.</t> constrained network and the other endpoint is a node on the Internet (such as a
<t>A typical setting is when one of the endpoints is constrained or in a mobile phone). Thing-to-thing interactions over constrained networks are also r
constrained network, and the other endpoint is a node on the Internet (such as elevant since both endpoints would then benefit from the lightweight properties
a mobile phone). Thing-to-thing interactions over constrained networks are also of the protocol. EDHOC could, e.g., be run when a device connects for the first
relevant since both endpoints would then benefit from the lightweight properties time or to establish fresh keys that are not revealed by a later compromise of t
of the protocol. EDHOC could, e.g., be run when a device connects for the first he long-term keys.</t>
time, or to establish fresh keys which are not revealed by a later compromise o
f the long-term keys.</t>
</section> </section>
<section anchor="message-size-examples"> <section anchor="message-size-examples">
<name>Message Size Examples</name> <name>Message Size Examples</name>
<t>Examples of EDHOC message sizes are shown in <xref target="fig-sizes" <t>Examples of EDHOC message sizes are shown in <xref target="tab-sizes"
/>, using different kinds of authentication keys and COSE header parameters for />, which use different kinds of authentication keys and COSE header parameters
identification: static Diffie-Hellman keys or signature keys, either in CBOR Web for identification, including static Diffie-Hellman keys or signature keys, eith
Token (CWT) / CWT Claims Set (CCS) <xref target="RFC8392"/> identified by a key er in CWT/CCS <xref target="RFC8392"/> identified by a key identifier using 'kid
identifier using 'kid' <xref target="RFC9052"/>, or in X.509 certificates ident ' <xref target="RFC9052"/> or in X.509 certificates identified by a hash value u
ified by a hash value using 'x5t' <xref target="RFC9360"/>. As a comparison, in sing 'x5t' <xref target="RFC9360"/>. EDHOC always uses ephemeral-ephemeral key e
the case of RPK authentication, the EDHOC message size when transferred in CoAP xchange. As a comparison, in the case of RPK authentication and when transferred
can be less than 1/7 of the DTLS 1.3 handshake <xref target="RFC9147"/> with ECD in CoAP, the EDHOC message size can be less than 1/7 of the DTLS 1.3 handshake
HE and connection ID, see <xref section="2" sectionFormat="of" target="I-D.ietf- <xref target="RFC9147"/> with Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) an
iotops-security-protocol-comparison"/>.</t> d connection ID; see <xref target="I-D.ietf-iotops-security-protocol-comparison"
<figure anchor="fig-sizes"> />.</t>
<name>Examples of EDHOC message sizes in bytes.</name> <table anchor="tab-sizes">
<artset> <name>Examples of EDHOC Message Sizes in Bytes</name>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 <thead>
0/svg" version="1.1" height="208" width="472" viewBox="0 0 472 208" class="diagr <tr>
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap <th></th>
="round"> <th colspan="2">Static DH Keys</th>
<path d="M 8,32 L 464,32" fill="none" stroke="black"/> <th colspan="2">Signature Keys</th>
<path d="M 168,64 L 288,64" fill="none" stroke="black"/> </tr>
<path d="M 344,64 L 464,64" fill="none" stroke="black"/> <tr>
<path d="M 8,96 L 464,96" fill="none" stroke="black"/> <th></th>
<path d="M 8,160 L 464,160" fill="none" stroke="black"/> <th align="right">kid</th>
<path d="M 8,192 L 464,192" fill="none" stroke="black"/> <th align="right">x5t</th>
<g class="text"> <th align="right">kid</th>
<text x="196" y="52">Static</text> <th align="right">x5t</th>
<text x="236" y="52">DH</text>
<text x="268" y="52">Keys</text> </tr>
<text x="384" y="52">Signature</text> </thead>
<text x="444" y="52">Keys</text> <tbody>
<text x="184" y="84">kid</text> <tr>
<text x="272" y="84">x5t</text> <td>message_1</td>
<text x="360" y="84">kid</text> <td align="right">37</td>
<text x="448" y="84">x5t</text> <td align="right">37</td>
<text x="48" y="116">message_1</text> <td align="right">37</td>
<text x="188" y="116">37</text> <td align="right">37</td>
<text x="276" y="116">37</text> </tr>
<text x="364" y="116">37</text> <tr>
<text x="452" y="116">37</text> <td>message_2</td>
<text x="48" y="132">message_2</text> <td align="right">45</td>
<text x="188" y="132">45</text> <td align="right">58</td>
<text x="276" y="132">58</text> <td align="right">102</td>
<text x="360" y="132">102</text> <td align="right">115</td>
<text x="448" y="132">115</text> </tr>
<text x="48" y="148">message_3</text> <tr>
<text x="188" y="148">19</text> <td>message_3</td>
<text x="276" y="148">33</text> <td align="right">19</td>
<text x="364" y="148">77</text> <td align="right">33</td>
<text x="452" y="148">90</text> <td align="right">77</td>
<text x="32" y="180">Total</text> <td align="right">90</td>
<text x="184" y="180">101</text> </tr>
<text x="272" y="180">128</text> <tr>
<text x="360" y="180">216</text> <td>Total</td>
<text x="448" y="180">242</text> <td align="right">101</td>
</g> <td align="right">128</td>
</svg> <td align="right">216</td>
</artwork> <td align="right">242</td>
<artwork type="ascii-art" align="center"><![CDATA[ </tr>
Static DH Keys Signature Keys </tbody>
---------------- ---------------- </table>
kid x5t kid x5t
message_1 37 37 37 37
message_2 45 58 102 115
message_3 19 33 77 90
Total 101 128 216 242
]]></artwork>
</artset>
</figure>
</section> </section>
<section anchor="document-structure"> <section anchor="document-structure">
<name>Document Structure</name> <name>Document Structure</name>
<t>The remainder of the document is organized as follows: <xref target=" background"/> outlines EDHOC authenticated with signature keys, <xref target="ov erview"/> describes the protocol elements of EDHOC, including formatting of the ephemeral public keys, <xref target="key-der"/> specifies the key derivation, <x ref target="asym"/> specifies message processing for EDHOC authenticated with si gnature keys or static Diffie-Hellman keys, <xref target="error"/> describes the error messages, <xref target="duplication"/> describes EDHOC support for transp ort that does not handle message duplication, and <xref target="mti"/> lists com pliance requirements. Note that normative text is also used in appendices, in pa rticular <xref target="transfer"/>.</t> <t>The remainder of the document is organized as follows: <xref target=" background"/> outlines EDHOC authenticated with signature keys; <xref target="ov erview"/> describes the protocol elements of EDHOC, including formatting of the ephemeral public keys; <xref target="key-der"/> specifies the key derivation; <x ref target="asym"/> specifies message processing for EDHOC authenticated with si gnature keys or static Diffie-Hellman keys; <xref target="error"/> describes the error messages; <xref target="duplication"/> describes EDHOC support for transp ort that does not handle message duplication; and <xref target="mti"/> lists com pliance requirements. Note that normative text is also used in appendices, in pa rticular <xref target="transfer"/>.</t>
</section> </section>
<section anchor="term"> <section anchor="term">
<name>Terminology and Requirements Language</name> <name>Terminology and Requirements Language</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t>
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
"MAY", and "OPTIONAL" in this document are to be interpreted as IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
only when, they RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
appear in all capitals, as shown here. "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
<?line -6?> be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t> </t>
<t>Readers are expected to be familiar with the terms and concepts descr <t>Readers are expected to be familiar with the terms and
ibed in CBOR <xref target="RFC8949"/>, CBOR Sequences <xref target="RFC8742"/>, concepts described in CBOR <xref target="RFC8949"/>, CBOR
COSE structures and processing <xref target="RFC9052"/>, COSE algorithms <xref t Sequences <xref target="RFC8742"/>, COSE Structures and
arget="RFC9053"/>, CWT and CWT Claims Set <xref target="RFC8392"/>, and the Conc Processing <xref target="RFC9052"/>, COSE Algorithms <xref
ise Data Definition Language (CDDL, <xref target="RFC8610"/>), which is used to target="RFC9053"/>, CWT and CCS <xref
express CBOR data structures. Examples of CBOR and CDDL are provided in <xref ta target="RFC8392"/>, and the Concise Data Definition Language
rget="CBOR"/>. When referring to CBOR, this specification always refers to Deter (CDDL) <xref target="RFC8610"/>, which is used to express
ministically Encoded CBOR as specified in Sections 4.2.1 and 4.2.2 of <xref targ CBOR data structures. Examples of CBOR and CDDL are provided
et="RFC8949"/>. The single output from authenticated encryption (including the a in <xref target="CBOR"/>. When referring to CBOR, this
uthentication tag) is called "ciphertext", following <xref target="RFC5116"/>.</ specification always refers to Deterministically Encoded CBOR,
t> as specified in Sections <xref target="RFC8949" section="4.2.1" sectionF
ormat="bare"/> and <xref target="RFC8949" section="4.2.2" sectionFormat="bare"/>
of <xref
target="RFC8949"/>. The single output from authenticated
encryption (including the authentication tag) is called
"ciphertext", following <xref target="RFC5116"/>.</t>
</section> </section>
</section> </section>
<section anchor="background"> <section anchor="background">
<name>EDHOC Outline</name> <name>EDHOC Outline</name>
<t>EDHOC specifies different authentication methods of the ephemeral-ephem <t>EDHOC supports different authentication methods of the ephemeral-epheme
eral Diffie-Hellman key exchange: signature keys and static Diffie-Hellman keys. ral Diffie-Hellman key exchange. This document specifies authentication methods
This section outlines the signature key based method. Further details of protoc based on signature keys and static Diffie-Hellman keys. This section outlines th
ol elements and other authentication methods are provided in the remainder of th e signature-key-based method. Further details of protocol elements and other aut
is document.</t> hentication methods are provided in the remainder of this document.</t>
<t>SIGMA (SIGn-and-MAc) is a family of theoretical protocols with a large <t>SIGn-and-MAc (SIGMA) is a family of theoretical protocols with a number
number of variants <xref target="SIGMA"/>. Like in IKEv2 <xref target="RFC7296"/ of variants <xref target="SIGMA"/>. Like in Internet Key Exchange Protocol Vers
> and (D)TLS 1.3 <xref target="RFC8446"/><xref target="RFC9147"/>, EDHOC authent ion 2 (IKEv2) <xref target="RFC7296"/> and (D)TLS 1.3 <xref target="RFC8446"/> <
icated with signature keys is built on a variant of the SIGMA protocol, SIGMA-I, xref target="RFC9147"/>, EDHOC authenticated with signature keys is built on a v
which provides identity protection against active attacks on the party initiati ariant of the SIGMA protocol, SIGMA-I, which provides identity protection agains
ng the protocol. Also like IKEv2, EDHOC implements the MAC-then-Sign variant of t active attacks on the party initiating the protocol. Also like IKEv2, EDHOC im
the SIGMA-I protocol. The message flow (excluding an optional fourth message) is plements the MAC-then-Sign variant of the SIGMA-I protocol. The message flow (ex
shown in <xref target="fig-sigma"/>.</t> cluding an optional fourth message) is shown in <xref target="fig-sigma"/>.</t>
<figure anchor="fig-sigma"> <figure anchor="fig-sigma">
<name>MAC-then-Sign variant of the SIGMA-I protocol used by EDHOC method 0.</name> <name>MAC-then-Sign Variant of the SIGMA-I Protocol Used by the EDHOC Me thod 0</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="192" width="560" viewBox="0 0 560 192" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap=" round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="" width="" viewBox="0 0 560 192" class="diagram" text -anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round" >
<path d="M 8,48 L 8,176" fill="none" stroke="black"/> <path d="M 8,48 L 8,176" fill="none" stroke="black"/>
<path d="M 552,48 L 552,176" fill="none" stroke="black"/> <path d="M 552,48 L 552,176" fill="none" stroke="black"/>
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
<path d="M 16,112 L 552,112" fill="none" stroke="black"/> <path d="M 16,112 L 552,112" fill="none" stroke="black"/>
<path d="M 8,160 L 544,160" fill="none" stroke="black"/> <path d="M 8,160 L 544,160" fill="none" stroke="black"/>
<polygon class="arrowhead" points="552,160 540,154.4 540,165.6" fi ll="black" transform="rotate(0,544,160)"/> <polygon class="arrowhead" points="552,160 540,154.4 540,165.6" fi ll="black" transform="rotate(0,544,160)"/>
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill= "black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fill= "black" transform="rotate(0,544,64)"/>
<polygon class="arrowhead" points="24,112 12,106.4 12,117.6" fill= "black" transform="rotate(180,16,112)"/> <polygon class="arrowhead" points="24,112 12,106.4 12,117.6" fill= "black" transform="rotate(180,16,112)"/>
<g class="text"> <g class="text">
<text x="40" y="36">Initiator</text> <text x="40" y="36">Initiator</text>
skipping to change at line 208 skipping to change at line 221
| | | |
| G_Y, Enc( ID_CRED_R, Sig( R; MAC( CRED_R, G_X, G_Y ) ) ) | | G_Y, Enc( ID_CRED_R, Sig( R; MAC( CRED_R, G_X, G_Y ) ) ) |
|<------------------------------------------------------------------+ |<------------------------------------------------------------------+
| | | |
| AEAD( ID_CRED_I, Sig( I; MAC( CRED_I, G_Y, G_X ) ) ) | | AEAD( ID_CRED_I, Sig( I; MAC( CRED_I, G_Y, G_X ) ) ) |
+------------------------------------------------------------------>| +------------------------------------------------------------------>|
| | | |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>The parties exchanging messages in an EDHOC session are called Initiato r (I) and Responder (R), where the Initiator sends message_1 (see <xref target=" overview"/>). They exchange ephemeral public keys, compute a shared secret sessi on key PRK_out, and derive symmetric application keys used to protect applicatio n data.</t> <t>The parties exchanging messages in an EDHOC session are called the Init iator (I) and the Responder (R), where the Initiator sends message_1 (see <xref target="overview"/>). They exchange ephemeral public keys, compute a shared secr et session key PRK_out, and derive symmetric application keys used to protect ap plication data.</t>
<ul spacing="normal"> <ul spacing="normal">
<li>G_X and G_Y are the ECDH ephemeral public keys of I and R, respectiv ely.</li> <li>G_X and G_Y are the Elliptic Curve Diffie-Hellman (ECDH) ephemeral p ublic keys of I and R, respectively.</li>
<li>CRED_I and CRED_R are the authentication credentials containing the public authentication keys of I and R, respectively.</li> <li>CRED_I and CRED_R are the authentication credentials containing the public authentication keys of I and R, respectively.</li>
<li>ID_CRED_I and ID_CRED_R are used to identify and optionally transpor t the credentials of the Initiator and the Responder, respectively.</li> <li>ID_CRED_I and ID_CRED_R are used to identify and optionally transpor t the credentials of I and R, respectively.</li>
<li>Sig(I; . ) and Sig(R; . ) denote signatures made with the private au thentication key of I and R, respectively.</li> <li>Sig(I; . ) and Sig(R; . ) denote signatures made with the private au thentication key of I and R, respectively.</li>
<li>Enc(), AEAD(), and MAC() denotes encryption, authenticated encryptio n with additional data, and message authentication code - crypto algorithms appl ied with keys derived from one or more shared secrets calculated during the prot ocol.</li> <li>Enc(), AEAD(), and MAC() denote encryption, Authenticated Encryption with Associated Data, and Message Authentication Code -- crypto algorithms appl ied with keys derived from one or more shared secrets calculated during the prot ocol.</li>
</ul> </ul>
<t>In order to create a "full-fledged" protocol some additional protocol e lements are needed. EDHOC adds:</t> <t>In order to create a "full-fledged" protocol, some additional protocol elements are needed. This specification adds:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Transcript hashes (hashes of message data) TH_2, TH_3, TH_4 used for <li>transcript hashes (hashes of message data), TH_2, TH_3, and TH_4, us
key derivation and as additional authenticated data.</li> ed for key derivation and as additional authenticated data,</li>
<li>Computationally independent keys derived from the ECDH shared secret <li>computationally independent keys derived from the ECDH shared secret
and used for authenticated encryption of different messages.</li> and used for authenticated encryption of different messages,</li>
<li>An optional fourth message giving key confirmation to I in deploymen <li>an optional fourth message giving key confirmation to I in deploymen
ts where no protected application data is sent from R to I.</li> ts where no protected application data is sent from R to I,</li>
<li>A keying material exporter and a key update function with forward se <li>a keying material exporter and a key update function with forward se
crecy.</li> crecy,</li>
<li>Secure negotiation of cipher suite.</li> <li>secure negotiation of the cipher suite,</li>
<li>Method types, error handling, and padding.</li> <li>method types, error handling, and padding,</li>
<li>Selection of connection identifiers C_I and C_R which may be used in <li>the selection of connection identifiers, C_I and C_R, which may be u
EDHOC to identify protocol state.</li> sed in EDHOC to identify the protocol state, and</li>
<li>Transport of external authorization data.</li> <li>transport of external authorization data.</li>
</ul> </ul>
<t>EDHOC is designed to encrypt and integrity protect as much information <t>EDHOC is designed to encrypt and integrity protect as much information
as possible. Symmetric keys and random material used in EDHOC are derived using as possible. Symmetric keys and random material used in EDHOC are derived using
EDHOC_KDF with as much previous information as possible, see <xref target="fig-e EDHOC_KDF with as much previous information as possible; see <xref target="fig-e
dhoc-kdf"/>. EDHOC is furthermore designed to be as compact and lightweight as p dhoc-kdf"/>. EDHOC is furthermore designed to be as compact and lightweight as p
ossible, in terms of message sizes, processing, and the ability to reuse already ossible, in terms of message sizes, processing, and the ability to reuse already
existing CBOR, COSE, and CoAP libraries. Like in (D)TLS, authentication is the existing CBOR, COSE, and CoAP libraries. Like in (D)TLS, authentication is the
responsibility of the application. EDHOC identifies (and optionally transports) responsibility of the application. EDHOC identifies (and optionally transports)
authentication credentials, and provides proof-of-possession of the private auth authentication credentials and provides proof-of-possession of the private authe
entication key.</t> ntication key.</t>
<t>To simplify for implementors, the use of CBOR and COSE in EDHOC is summ <t>To simplify for implementors, the use of CBOR, CDDL, and COSE in EDHOC
arized in <xref target="CBORandCOSE"/>. Test vectors including CBOR diagnostic n is summarized in <xref target="CBORandCOSE"/>. Test vectors, including CBOR diag
otation are provided in <xref target="I-D.ietf-lake-traces"/>.</t> nostic notation, are provided in <xref target="RFC9529"/>.</t>
</section> </section>
<section anchor="overview"> <section anchor="overview">
<name>Protocol Elements</name> <name>Protocol Elements</name>
<section anchor="general"> <section anchor="general">
<name>General</name> <name>General</name>
<t>The EDHOC protocol consists of three mandatory messages (message_1, m <t>The EDHOC protocol consists of three mandatory messages (message_1, m
essage_2, message_3), an optional fourth message (message_4), and an error messa essage_2, and message_3), an optional fourth message (message_4), and an error m
ge, between an Initiator (I) and a Responder (R). The odd messages are sent by I essage, between an Initiator (I) and a Responder (R). The odd messages are sent
, the even by R. Both I and R can send error messages. by I, the even by R. Both I and R can send error messages.
The roles have slightly different security properties which should be considered The roles have slightly different security properties that should be considered
when the roles are assigned, see <xref target="sec-prop"/>. when the roles are assigned; see <xref target="sec-prop"/>.
All EDHOC messages are CBOR Sequences <xref target="RFC8742"/>, and are determin All EDHOC messages are CBOR Sequences <xref target="RFC8742"/> and are defined t
istically encoded. <xref target="fig-flow"/> illustrates an EDHOC message flow w o be deterministically encoded CBOR as specified in <xref target="RFC8949" secti
ith the optional fourth message as well as the content of each message. The prot onFormat="of" section="4.2.1"/>. <xref target="fig-flow"/> illustrates an EDHOC
ocol elements in the figure are introduced in <xref target="overview"/> and <xre message flow with the optional fourth message as well as the content of each mes
f target="asym"/>. Message formatting and processing are specified in <xref targ sage. The protocol elements in the figure are introduced in Sections <xref targe
et="asym"/> and <xref target="error"/>.</t> t="overview" format="counter"/> and <xref target="asym" format="counter"/>. Mess
<t>Application data may be protected using the agreed application algori age formatting and processing are specified in Sections <xref target="asym" form
thms (AEAD, hash) in the selected cipher suite (see <xref target="cs"/>) and the at="counter"/> and <xref target="error" format="counter"/>.</t>
application can make use of the established connection identifiers C_I and C_R <t>Application data may be protected using the agreed application algori
(see <xref target="ci"/>). Media types that may be used for EDHOC are defined in thms (AEAD, hash) in the selected cipher suite (see <xref target="cs"/>), and th
<xref target="media-type"/>.</t> e application can make use of the established connection identifiers C_I and C_R
<t>The Initiator can derive symmetric application keys after creating ED (see <xref target="ci"/>). Media types that may be used for EDHOC are defined i
HOC message_3, see <xref target="exporter"/>. Protected application data can the n <xref target="media-type"/>.</t>
refore be sent in parallel or together with EDHOC message_3. EDHOC message_4 is <t>The Initiator can derive symmetric application keys after creating ED
typically not sent.</t> HOC message_3; see <xref target="exporter"/>. Protected application data can the
refore be sent in parallel or together with EDHOC message_3. EDHOC message_4 is
typically not sent.</t>
<figure anchor="fig-flow"> <figure anchor="fig-flow">
<name>EDHOC message flow including the optional fourth message.</name> <name>EDHOC Message Flow Including the Optional Fourth Message</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 0/svg" version="1.1" height="288" width="560" viewBox="0 0 560 288" class="diagr am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap ="round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 0/svg" version="1.1" height="" width="" viewBox="0 0 560 288" class="diagram" te xt-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="roun d">
<path d="M 8,48 L 8,272" fill="none" stroke="black"/> <path d="M 8,48 L 8,272" fill="none" stroke="black"/>
<path d="M 552,48 L 552,272" fill="none" stroke="black"/> <path d="M 552,48 L 552,272" fill="none" stroke="black"/>
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
<path d="M 16,128 L 552,128" fill="none" stroke="black"/> <path d="M 16,128 L 552,128" fill="none" stroke="black"/>
<path d="M 8,192 L 544,192" fill="none" stroke="black"/> <path d="M 8,192 L 544,192" fill="none" stroke="black"/>
<polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/> <polygon class="arrowhead" points="552,192 540,186.4 540,197.6" fill="black" transform="rotate(0,544,192)"/>
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fil l="black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" fil l="black" transform="rotate(0,544,64)"/>
<polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fil l="black" transform="rotate(180,16,128)"/> <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" fil l="black" transform="rotate(180,16,128)"/>
<g class="text"> <g class="text">
<text x="40" y="36">Initiator</text> <text x="40" y="36">Initiator</text>
skipping to change at line 337 skipping to change at line 350
| | | |
| AEAD( EAD_4 ) | | AEAD( EAD_4 ) |
|<- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + |<- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
| message_4 | | message_4 |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
</section> </section>
<section anchor="method"> <section anchor="method">
<name>Method</name> <name>Method</name>
<t>The data item METHOD in message_1 (see <xref target="asym-msg1-form"/ <t>The data item METHOD in message_1 (see <xref target="asym-msg1-form"/
>), is an integer specifying the authentication method. EDHOC supports authentic >) is an integer specifying the authentication method. EDHOC currently supports
ation with signature or static Diffie-Hellman keys, as defined in the four authe authentication with signature or static Diffie-Hellman keys, as defined in the f
ntication methods: 0, 1, 2, and 3, see <xref target="fig-method-types"/>. When u our authentication methods: 0, 1, 2, and 3; see <xref target="tab-method-types"/
sing a static Diffie-Hellman key the authentication is provided by a Message Aut >. When using a static Diffie-Hellman key, the authentication is provided by a M
hentication Code (MAC) computed from an ephemeral-static ECDH shared secret whic essage Authentication Code (MAC) computed from an ephemeral-static ECDH shared s
h enables significant reductions in message sizes. Note that also in the static ecret that enables significant reductions in message sizes. Note that, also in t
Diffie-Hellman based authentication methods there is an ephemeral-ephemeral Diff he static Diffie-Hellman-based authentication methods, there is an ephemeral-eph
ie-Hellman key exchange.</t> emeral Diffie-Hellman key exchange.</t>
<t>The Initiator and the Responder need to have agreed on a single metho <t>The Initiator and Responder need to have agreed on a single method to
d to be used for EDHOC, see <xref target="applicability"/>.</t> be used for EDHOC; see <xref target="applicability"/>.</t>
<figure anchor="fig-method-types">
<name>Authentication keys for method types.</name> <table anchor="tab-method-types">
<artset> <name>Authentication Keys for Method Types</name>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 <thead>
0/svg" version="1.1" height="176" width="464" viewBox="0 0 464 176" class="diagr <tr>
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap <th>Method Type Value</th>
="round"> <th>Initiator Authentication Key</th>
<path d="M 8,32 L 8,160" fill="none" stroke="black"/> <th>Responder Authentication Key</th>
<path d="M 120,32 L 120,160" fill="none" stroke="black"/> </tr>
<path d="M 288,32 L 288,160" fill="none" stroke="black"/> </thead>
<path d="M 456,32 L 456,160" fill="none" stroke="black"/> <tbody>
<path d="M 8,32 L 456,32" fill="none" stroke="black"/>
<path d="M 8,78 L 456,78" fill="none" stroke="black"/> <tr>
<path d="M 8,82 L 456,82" fill="none" stroke="black"/> <td align="right">0</td>
<path d="M 8,160 L 456,160" fill="none" stroke="black"/> <td>Signature Key</td>
<g class="text"> <td>Signature Key</td>
<text x="44" y="52">Method</text> </tr>
<text x="92" y="52">Type</text> <tr>
<text x="168" y="52">Initiator</text> <td align="right">1</td>
<text x="336" y="52">Responder</text> <td>Signature Key</td>
<text x="88" y="68">Value</text> <td>Static DH Key</td>
<text x="188" y="68">Authentication</text> </tr>
<text x="264" y="68">Key</text> <tr>
<text x="356" y="68">Authentication</text> <td align="right">2</td>
<text x="432" y="68">Key</text> <td>Static DH Key</td>
<text x="104" y="100">0</text> <td>Signature Key</td>
<text x="168" y="100">Signature</text> </tr>
<text x="224" y="100">Key</text> <tr>
<text x="336" y="100">Signature</text> <td align="right">3</td>
<text x="392" y="100">Key</text> <td>Static DH Key</td>
<text x="104" y="116">1</text> <td>Static DH Key</td>
<text x="168" y="116">Signature</text> </tr>
<text x="224" y="116">Key</text> <tr>
<text x="324" y="116">Static</text> <td align="right">23</td>
<text x="364" y="116">DH</text> <td>Reserved</td>
<text x="392" y="116">Key</text> <td>Reserved</td>
<text x="104" y="132">2</text> </tr>
<text x="156" y="132">Static</text> </tbody>
<text x="196" y="132">DH</text> </table>
<text x="224" y="132">Key</text>
<text x="336" y="132">Signature</text> <t>EDHOC does not have a dedicated message field to indicate the prot
<text x="392" y="132">Key</text> ocol version. Breaking changes to EDHOC can be introduced by specifying and regi
<text x="104" y="148">3</text> stering new methods.</t>
<text x="156" y="148">Static</text>
<text x="196" y="148">DH</text>
<text x="224" y="148">Key</text>
<text x="324" y="148">Static</text>
<text x="364" y="148">DH</text>
<text x="392" y="148">Key</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art" align="center"><![CDATA[
+-------------+--------------------+--------------------+
| Method Type | Initiator | Responder |
| Value | Authentication Key | Authentication Key |
+=============+====================+====================+
| 0 | Signature Key | Signature Key |
| 1 | Signature Key | Static DH Key |
| 2 | Static DH Key | Signature Key |
| 3 | Static DH Key | Static DH Key |
+-------------+--------------------+--------------------+
]]></artwork>
</artset>
</figure>
<t>EDHOC does not have a dedicated message field to indicate the protoco
l version. Breaking changes to EDHOC can be introduced by specifying and registe
ring new methods.</t>
</section> </section>
<section anchor="ci"> <section anchor="ci">
<name>Connection Identifiers</name> <name>Connection Identifiers</name>
<t>EDHOC includes the selection of connection identifiers (C_I, C_R) ide <t>EDHOC includes the selection of connection identifiers (C_I and C_R)
ntifying a connection for which keys are agreed.</t> identifying a connection for which keys are agreed.</t>
<t>Connection identifiers may be used to correlate EDHOC messages and fa <t>Connection identifiers may be used to correlate EDHOC messages and fa
cilitate the retrieval of protocol state during an EDHOC session (see <xref targ cilitate the retrieval of protocol state during an EDHOC session (see <xref targ
et="transport"/>), or may be used in applications of EDHOC, e.g., in OSCORE (see et="transport"/>) or may be used in applications of EDHOC, e.g., in OSCORE (see
<xref target="ci-oscore"/>). The connection identifiers do not have any cryptog <xref target="ci-oscore"/>). The connection identifiers do not have any cryptogr
raphic purpose in EDHOC and only facilitate the retrieval of security data assoc aphic purpose in EDHOC and only facilitate the retrieval of security data associ
iated with the protocol state.</t> ated with the protocol state.</t>
<t>Connection identifiers in EDHOC are intrinsically byte strings. Most <t>Connection identifiers in EDHOC are intrinsically byte strings. Most
constrained devices only have a few connections for which short identifiers may constrained devices only have a few connections for which short identifiers may
be sufficient. In some cases minimum length identifiers are necessary to comply be sufficient. In some cases, minimum length identifiers are necessary to comply
with overhead requirements. However, CBOR byte strings - with the exception of t with overhead requirements. However, CBOR byte strings -- with the exception of
he empty byte string h’’ which encodes as one byte (0x40) - are encoded as two o the empty byte string h'', which encodes as one byte (0x40) -- are encoded as t
r more bytes. To enable one-byte encoding of certain byte strings while maintain wo or more bytes. To enable one-byte encoding of certain byte strings while main
ing CBOR encoding, EDHOC represents certain identifiers as CBOR integers on the taining CBOR encoding, EDHOC represents certain identifiers as CBOR integers on
wire, see <xref target="bstr-repr"/>.</t> the wire; see <xref target="bstr-repr"/>.</t>
<section anchor="selection-of-connection-identifiers"> <section anchor="selection-of-connection-identifiers">
<name>Selection of Connection Identifiers</name> <name>Selection of Connection Identifiers</name>
<t>C_I and C_R are chosen by I and R, respectively. The Initiator sele <t>C_I and C_R are chosen by I and R, respectively. The Initiator sele
cts C_I and sends it in message_1 for the Responder to use as a reference to the cts C_I and sends it in message_1 for the Responder to use as a reference to the
connection in communication with the Initiator. The Responder selects C_R and s connection in communications with the Initiator. The Responder selects C_R and
ends it in message_2 for the Initiator to use as a reference to the connection i sends it in message_2 for the Initiator to use as a reference to the connection
n communications with the Responder.</t> in communications with the Responder.</t>
<t>If connection identifiers are used by an application protocol for w <t>If connection identifiers are used by an application protocol for w
hich EDHOC establishes keys then the selected connection identifiers SHALL adher hich EDHOC establishes keys, then the selected connection identifiers <bcp14>SHA
e to the requirements for that protocol, see <xref target="ci-oscore"/> for an e LL</bcp14> adhere to the requirements for that protocol; see <xref target="ci-os
xample.</t> core"/> for an example.</t>
</section> </section>
<section anchor="bstr-repr"> <section anchor="bstr-repr">
<name>Representation of Byte String Identifiers</name> <name>Representation of Byte String Identifiers</name>
<t>To allow identifiers with minimal overhead on the wire, certain byt <t>To allow identifiers with minimal overhead on the wire, certain byt
e strings are defined to have integer representations.</t> e strings used in connection identifiers and credential identifiers (see <xref t
<t>The integers with one-byte CBOR encoding are -24, ..., 23, see <xre arget="id_cred"/>) are defined to have integer representations.</t>
f target="fig-int-one-byte"/>.</t> <t>The integers with one-byte CBOR encoding are -24, ..., 23; see <xre
f target="fig-int-one-byte"/>.</t>
<figure anchor="fig-int-one-byte"> <figure anchor="fig-int-one-byte">
<name>One-byte CBOR encoded integers.</name> <name>One-Byte CBOR-Encoded Integers</name>
<artwork align="center"><![CDATA[ <artwork align="center"><![CDATA[
Integer: -24 -23 ... -11 ... -2 -1 0 1 ... 15 ... 23 Integer: -24 -23 ... -11 ... -2 -1 0 1 ... 15 ... 23
Encoding: 37 36 ... 2A ... 21 20 00 01 ... 0F ... 17 Encoding: 37 36 ... 2A ... 21 20 00 01 ... 0F ... 17
]]></artwork> ]]></artwork>
</figure> </figure>
<t>The byte strings which coincide with a one-byte CBOR encoding of an integer MUST be represented by the CBOR encoding of that integer. Other byte st rings are simply encoded as CBOR byte strings.</t> <t>The byte strings that coincide with a one-byte CBOR encoding of an integer <bcp14>MUST</bcp14> be represented by the CBOR encoding of that integer. Other byte strings are simply encoded as CBOR byte strings.</t>
<t>For example:</t> <t>For example:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>0x21 is represented by 0x21 (CBOR encoding of the integer -2), n ot by 0x4121 (CBOR encoding of the byte string 0x21).</li> <li>0x21 is represented by 0x21 (CBOR encoding of the integer -2), n ot by 0x4121 (CBOR encoding of the byte string 0x21).</li>
<li>0x0D is represented by 0x0D (CBOR encoding of the integer 13), n ot by 0x410D (CBOR encoding of the byte string 0x0D).</li> <li>0x0D is represented by 0x0D (CBOR encoding of the integer 13), n ot by 0x410D (CBOR encoding of the byte string 0x0D).</li>
<li>0x18 is represented by 0x4118 (CBOR encoding of the byte string 0x18).</li> <li>0x18 is represented by 0x4118 (CBOR encoding of the byte string 0x18).</li>
<li>0x38 is represented by 0x4138 (CBOR encoding of the byte string 0x38).</li> <li>0x38 is represented by 0x4138 (CBOR encoding of the byte string 0x38).</li>
<li>0xABCD is represented by 0x42ABCD (CBOR encoding of the byte str ing 0xABCD).</li> <li>0xABCD is represented by 0x42ABCD (CBOR encoding of the byte str ing 0xABCD).</li>
</ul> </ul>
<t>One may view this representation of byte strings as a transport enc <t>One may view this representation of byte strings as a transport enc
oding: a byte string which parses as the one-byte CBOR encoding of an integer (i oding, i.e., a byte string that parses as the one-byte CBOR encoding of an integ
.e., integer in the interval -24, ..., 23) is just copied directly into the mess er (i.e., integer in the interval -24, ..., 23) is just copied directly into the
age, a byte string which does not is encoded as a CBOR byte string during transp message, and a byte string that does not is encoded as a CBOR byte string durin
ort.</t> g transport.</t>
<t>Implementation Note: When implementing the byte string identifier r <aside><t>Implementation Note: When implementing the byte string ident
epresentation, it can in some programming languages help to define a new type, o ifier representation, in some programming languages, it can help to define a new
r other data structure, which (in its user facing API) behaves like a byte strin type or other data structure, which (in its user-facing API) behaves like a byt
g, but when serializing to CBOR produces a CBOR byte string or a CBOR integer de e string but when serializing to CBOR produces a CBOR byte string or a CBOR inte
pending on its value.</t> ger depending on its value.</t></aside>
</section> </section>
<section anchor="ci-oscore"> <section anchor="ci-oscore">
<name>Use of Connection Identifiers with OSCORE</name> <name>Use of Connection Identifiers with OSCORE</name>
<t>For OSCORE, the choice of connection identifier results in the endp oint selecting its Recipient ID, see Section 3.1 of <xref target="RFC8613"/>, fo r which certain uniqueness requirements apply, see Section 3.3 of <xref target=" RFC8613"/>. Therefore, the Initiator and the Responder MUST NOT select connectio n identifiers such that it results in the same OSCORE Recipient ID. Since the co nnection identifier is a byte string, it is converted to an OSCORE Recipient ID equal to the byte string.</t> <t>For OSCORE, the choice of connection identifier results in the endp oint selecting its Recipient ID (see <xref target="RFC8613" section="3.1" sectio nFormat="of"/>) for which certain uniqueness requirements apply (see <xref targe t="RFC8613" section="3.3" sectionFormat="of"/>). Therefore, the Initiator and Re sponder <bcp14>MUST NOT</bcp14> select connection identifiers such that it resul ts in the same OSCORE Recipient ID. Since the connection identifier is a byte st ring, it is converted to an OSCORE Recipient ID equal to the byte string.</t>
<t>Examples:</t> <t>Examples:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A connection identifier 0xFF (represented in the EDHOC message a <li>A connection identifier 0xFF (represented in the EDHOC message a
s 0x41FF, see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient I s 0x41FF; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient I
D 0xFF.</li> D 0xFF.</li>
<li>A connection identifier 0x21 (represented in the EDHOC message a <li>A connection identifier 0x21 (represented in the EDHOC message a
s 0x21, see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID s 0x21; see <xref target="bstr-repr"/>) is converted to the OSCORE Recipient ID
0x21.</li> 0x21.</li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="transport"> <section anchor="transport">
<name>Transport</name> <name>Transport</name>
<t>Cryptographically, EDHOC does not put requirements on the underlying <t>Cryptographically, EDHOC does not put requirements on the underlying
layers. Received messages are processed as the expected next message according t layers. Received messages are processed as the expected next message according t
o protocol state, see <xref target="asym"/>. If processing fails for any reason o the protocol state; see <xref target="asym"/>. If processing fails for any rea
then, typically, an error message is attempted to be sent and the EDHOC session son, then typically an error message is attempted to be sent and the EDHOC sessi
is aborted.</t> on is aborted.</t>
<t>EDHOC is not bound to a particular transport layer and can even be us <t>EDHOC is not bound to a particular transport layer and can even be us
ed in environments without IP. Ultimately, the application is free to choose how ed in environments without IP. Ultimately, the application is free to choose how
to transport EDHOC messages including errors. In order to avoid unnecessary mes to transport EDHOC messages including errors. In order to avoid unnecessary mes
sage processing or protocol termination, it is RECOMMENDED to use reliable trans sage processing or protocol termination, it is <bcp14>RECOMMENDED</bcp14> to use
port, such as CoAP in reliable mode, which is the default transport, see <xref t reliable transport, such as CoAP in reliable mode, which is the default transpo
arget="coap"/>. In general, the transport SHOULD handle:</t> rt; see <xref target="coap"/>. In general, the transport <bcp14>SHOULD</bcp14> h
andle:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>message loss,</li> <li>message loss,</li>
<li>message duplication, see <xref target="duplication"/> for an alter native,</li> <li>message duplication (see <xref target="duplication"/> for an alter native),</li>
<li>flow control,</li> <li>flow control,</li>
<li>congestion control,</li> <li>congestion control,</li>
<li>fragmentation and reassembly,</li> <li>fragmentation and reassembly,</li>
<li>demultiplexing EDHOC messages from other types of messages,</li> <li>demultiplexing EDHOC messages from other types of messages,</li>
<li>denial-of-service mitigation,</li> <li>denial-of-service mitigation, and</li>
<li>message correlation, see <xref target="ci-edhoc"/>.</li> <li>message correlation (see <xref target="ci-edhoc"/>).</li>
</ul> </ul>
<t>EDHOC does not require error free transport since a change in message <t>EDHOC does not require error-free transport since a change in message
content is detected through the transcript hashes in a subsequent integrity ver content is detected through the transcript hashes in a subsequent integrity ver
ification, see <xref target="asym"/>. The transport does not require additional ification; see <xref target="asym"/>. The transport does not require additional
means to handle message reordering because of the lockstep processing of EDHOC.< means to handle message reordering because of the lockstep processing of EDHOC.<
/t> /t>
<t>EDHOC is designed to enable an authenticated key exchange with small <t>EDHOC is designed to enable an authenticated key exchange with small
messages, where the minimum message sizes are of the order illustrated in the fi messages, where the minimum message sizes are of the order illustrated in the fi
rst column of <xref target="fig-sizes"/>. There is no maximum message size speci rst column of <xref target="tab-sizes"/>. There is no maximum message size speci
fied by the protocol; this is for example dependent on the size of authenticatio fied by the protocol; for example, this is dependent on the size of the authenti
n credentials (if they are transported, see <xref target="auth-key-id"/>).</t> cation credentials (if they are transported, see <xref target="auth-key-id"/>).
<t>The use of transport is specified in the application profile, which i The encryption of very large content in message_2 when using certain hash algori
n particular may specify limitations in message sizes, see <xref target="applica thms is described in <xref target="large-plaintext_2"/>.</t>
bility"/>.</t> <t>The use of transport is specified in the application profile, which i
n particular, may specify limitations in message sizes; see <xref target="applic
ability"/>.</t>
<section anchor="ci-edhoc"> <section anchor="ci-edhoc">
<name>EDHOC Message Correlation</name> <name>EDHOC Message Correlation</name>
<t>Correlation between EDHOC messages is needed to facilitate the retr <t>Correlation between EDHOC messages is needed to facilitate the retr
ieval of protocol state and security context during an EDHOC session. It is also ieval of the protocol state and security context during an EDHOC session. It is
helpful for the Responder to get an indication that a received EDHOC message is also helpful for the Responder to get an indication that a received EDHOC messag
the beginning of a new EDHOC session, such that no existing protocol state or s e is the beginning of a new EDHOC session, such that no existing protocol state
ecurity context needs to be retrieved.</t> or security context needs to be retrieved.</t>
<t>Correlation may be based on existing mechanisms in the transport pr <t>Correlation may be based on existing mechanisms in the transport pr
otocol, for example, the CoAP Token may be used to correlate EDHOC messages in a otocol; for example, the CoAP Token may be used to correlate EDHOC messages in a
CoAP response and in an associated CoAP request. The connection identifiers may CoAP response and in an associated CoAP request. The connection identifiers may
also be used to correlate EDHOC messages.</t> also be used to correlate EDHOC messages.</t>
<t>If correlation between consecutive messages is not provided by othe <t>If correlation between consecutive messages is not provided by othe
r means then the transport binding SHOULD mandate prepending of an appropriate c r means, then the transport binding <bcp14>SHOULD</bcp14> mandate prepending of
onnection identifier (when available from the EDHOC protocol) to the EDHOC messa an appropriate connection identifier (when available from the EDHOC protocol) to
ge. If message_1 indication is not provided by other means, then the transport b the EDHOC message. If message_1 indication is not provided by other means, then
inding SHOULD mandate prepending of message_1 with the CBOR simple value <tt>tru the transport binding <bcp14>SHOULD</bcp14> mandate prepending of message_1 wit
e</tt> (0xf5).</t> h the CBOR simple value <tt>true</tt> (0xf5).</t>
<t>Transport of EDHOC in CoAP payloads is described in <xref target="c oap"/>, including how to use connection identifiers and message_1 indication wit h CoAP. A similar construction is possible for other client-server protocols. Pr otocols that do not provide any correlation at all can prescribe prepending of t he peer's connection identifier to all messages.</t> <t>Transport of EDHOC in CoAP payloads is described in <xref target="c oap"/>, including how to use connection identifiers and message_1 indication wit h CoAP. A similar construction is possible for other client-server protocols. Pr otocols that do not provide any correlation at all can prescribe prepending of t he peer's connection identifier to all messages.</t>
<t>Note that correlation between EDHOC messages may be obtained withou t transport support or connection identifiers, for example if the endpoints only accept a single instance of the protocol at a time, and execute conditionally o n a correct sequence of messages.</t> <t>Note that correlation between EDHOC messages may be obtained withou t transport support or connection identifiers, for example, if the endpoints onl y accept a single instance of the protocol at a time and execute conditionally o n a correct sequence of messages.</t>
</section> </section>
</section> </section>
<section anchor="auth-key-id"> <section anchor="auth-key-id">
<name>Authentication Parameters</name> <name>Authentication Parameters</name>
<t>EDHOC supports various settings for how the other endpoint's authenti <t>EDHOC supports various settings for how the other endpoint's public k
cation (public) key may be transported, identified, and trusted.</t> ey for authentication may be transported, identified, and trusted. We shall use
<t>EDHOC performs the following authentication related operations:</t> the term "authentication key" to mean key used for authentication in general, or
specifically, the public key, when there is no risk for confusion.</t>
<t>EDHOC performs the following authentication-related operations:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>EDHOC transports information about credentials in ID_CRED_I and ID _CRED_R (described in <xref target="id_cred"/>). Based on this information, the authentication credentials CRED_I and CRED_R (described in <xref target="auth-cr ed"/>) can be obtained. EDHOC may also transport certain authentication related information as External Authorization Data (see <xref target="AD"/>).</li> <li>EDHOC transports information about credentials in ID_CRED_I and ID _CRED_R (described in <xref target="id_cred"/>). Based on this information, the authentication credentials CRED_I and CRED_R (described in <xref target="auth-cr ed"/>) can be obtained. EDHOC may also transport certain authentication-related information as external authorization data (see <xref target="AD"/>).</li>
<li> <li>
<t>EDHOC uses the authentication credentials in two ways (see <xref target="asym-msg2-proc"/> and <xref target="asym-msg3-proc"/>): <t>EDHOC uses the authentication credentials in two ways (see Sectio ns <xref target="asym-msg2-proc" format="counter"/> and <xref target="asym-msg3- proc" format="counter"/>):
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>The authentication credential is input to the integrity verifi cation using the MAC fields.</li> <li>The authentication credential is input to the integrity verifi cation using the MAC fields.</li>
<li>The authentication key of the authentication credential is use d with the Signature_or_MAC field to verify proof-of-possession of the private k ey.</li> <li>The authentication key of the authentication credential is use d with the Signature_or_MAC field to verify proof-of-possession of the private k ey.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>Other authentication related verifications are out of scope for EDHOC <t>Other authentication-related verifications are out of scope for EDHOC
, and is the responsibility of the application. In particular, the authenticatio and are the responsibility of the application. In particular, the authenticatio
n credential needs to be validated in the context of the connection for which ED n credential needs to be validated in the context of the connection for which ED
HOC is used, see <xref target="auth-validation"/>. EDHOC MUST allow the applicat HOC is used; see <xref target="auth-validation"/>. EDHOC <bcp14>MUST</bcp14> all
ion to read received information about credential (ID_CRED_R, ID_CRED_I). EDHOC ow the application to read received information about credentials in ID_CRED_R a
MUST have access to the authentication key and the authentication credential.</t nd ID_CRED_I. EDHOC <bcp14>MUST</bcp14> have access to the authentication key an
> d the authentication credential.</t>
<t>Note that the type of authentication key, authentication credential, <t>Note that the type of authentication key, the type of authentication
and the identification of the credential have a large impact on the message size credential, and the identification of the credential have a large impact on the
. For example, the Signature_or_MAC field is much smaller with a static DH key t message size. For example, the Signature_or_MAC field is much smaller with a sta
han with a signature key. A CWT Claims Set (CCS) is much smaller than a self-sig tic DH key than with a signature key. A CWT Claims Set (CCS) is much smaller tha
ned certificate/CWT, but if it is possible to reference the credential with a CO n a self-signed certificate / CWT, but if it is possible to reference the creden
SE header like 'kid', then that is in turn much smaller than a CCS.</t> tial with a COSE header like 'kid', then that is in turn much smaller than a CCS
.</t>
<section anchor="auth-keys"> <section anchor="auth-keys">
<name>Authentication Keys</name> <name>Authentication Keys</name>
<t>The authentication key (i.e., the public key used for authenticatio <t>The authentication key <bcp14>MUST</bcp14> be a signature key or a
n) MUST be a signature key or static Diffie-Hellman key. The Initiator and the R static Diffie-Hellman key. The Initiator and Responder <bcp14>MAY</bcp14> use di
esponder MAY use different types of authentication keys, e.g., one uses a signat fferent types of authentication keys, e.g., one uses a signature key and the oth
ure key and the other uses a static Diffie-Hellman key.</t> er uses a static Diffie-Hellman key.</t>
<t>The authentication key algorithm needs to be compatible with the me <t>The authentication key algorithm needs to be compatible with the me
thod and the selected cipher suite (see <xref target="cs"/>). The authentication thod and the selected cipher suite (see <xref target="cs"/>). The authentication
key algorithm needs to be compatible with the EDHOC key exchange algorithm when key algorithm needs to be compatible with the EDHOC key exchange algorithm when
static Diffie-Hellman authentication is used, and compatible with the EDHOC sig static Diffie-Hellman authentication is used and compatible with the EDHOC sign
nature algorithm when signature authentication is used.</t> ature algorithm when signature authentication is used.</t>
<t>Note that for most signature algorithms, the signature is determine <t>Note that for most signature algorithms, the signature is determine
d by the signature algorithm and the authentication key algorithm together. When d jointly by the signature algorithm and the authentication key algorithm. When
using static Diffie-Hellman keys the Initiator's and Responder's private authen using static Diffie-Hellman keys, the Initiator's and the Responder's private au
tication keys are denoted as I and R, respectively, and the public authenticatio thentication keys are denoted as I and R, respectively, and the public authentic
n keys are denoted G_I and G_R, respectively.</t> ation keys are denoted G_I and G_R, respectively.</t>
<t>For X.509 certificates the authentication key is represented by a S <t>For X.509 certificates, the authentication key is represented by a
ubjectPublicKeyInfo field. For CWT and CCS (see <xref target="auth-cred"/>)) the SubjectPublicKeyInfo field, which also contains information about authentication
authentication key is represented by a 'cnf' claim <xref target="RFC8747"/> con key algorithm. For CWT and CCS (see <xref target="auth-cred"/>), the authentica
taining a COSE_Key <xref target="RFC9052"/>. In EDHOC, a raw public key (RPK) is tion key is represented by a 'cnf' claim <xref target="RFC8747"/> containing a C
an authentication key encoded as a COSE_Key wrapped in a CCS.</t> OSE_Key <xref target="RFC9052"/>, which contains information about authenticatio
n key algorithm. In EDHOC, a raw public key (RPK) is an authentication key encod
ed as a COSE_Key wrapped in a CCS, an example is given in <xref target="fig-ccs"
/>.</t>
</section> </section>
<section anchor="auth-cred"> <section anchor="auth-cred">
<name>Authentication Credentials</name> <name>Authentication Credentials</name>
<t>The authentication credentials, CRED_I and CRED_R, contains the pub lic authentication key of the Initiator and the Responder, respectively. <t>The authentication credentials, CRED_I and CRED_R, contain the publ ic authentication key of the Initiator and Responder, respectively.
We use the notation CRED_x to refer to CRED_I or CRED_R. We use the notation CRED_x to refer to CRED_I or CRED_R.
Requirements on CRED_x applies both to CRED_I and to CRED_R. Requirements on CRED_x applies both to CRED_I and to CRED_R.
The authentication credential typically also contains other parameters that need The authentication credential typically also contains other parameters that need
s to be verified by the application, see <xref target="auth-validation"/>, and i s to be verified by the application (see <xref target="auth-validation"/>) and i
n particular information about the identity ("subject") of the endpoint to preve n particular information about the identity ("subject") of the endpoint to preve
nt misbinding attacks, see <xref target="identities"/>.</t> nt misbinding attacks (see <xref target="identities"/>).</t>
<t>EDHOC relies on COSE for identification of credentials (see <xref t <t>EDHOC relies on COSE for identification of credentials (see <xref t
arget="id_cred"/>), for example X.509 certificates <xref target="RFC9360"/>, C50 arget="id_cred"/>), for example, X.509 certificates <xref target="RFC9360"/>, C5
9 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs <xref targ 09 certificates <xref target="I-D.ietf-cose-cbor-encoded-cert"/>, CWTs <xref tar
et="RFC8392"/> and CWT Claims Sets (CCS) <xref target="RFC8392"/>. When the iden get="RFC8392"/>, and CCSs <xref target="RFC8392"/>. When the identified credenti
tified credential is a chain or a bag, the authentication credential CRED_x is j al is a chain or a bag, the authentication credential CRED_x is just the end ent
ust the end entity X.509 or C509 certificate / CWT. In the choice between chain ity X.509 or C509 certificate / CWT. In the choice between a chain or a bag, it
or bag it is RECOMMENDED to use a chain, since the certificates in a bag are uno is <bcp14>RECOMMENDED</bcp14> to use a chain, since the certificates in a bag ar
rdered and may contain self-signed and extraneous certificates, which can add co e unordered and may contain self-signed and extraneous certificates, which can a
mplexity to the process of extracting the end entity certificate. The Initiator dd complexity to the process of extracting the end entity certificate. The Initi
and the Responder MAY use different types of authentication credentials, e.g., o ator and Responder <bcp14>MAY</bcp14> use different types of authentication cred
ne uses an RPK and the other uses a public key certificate.</t> entials, e.g., one uses an RPK and the other uses a public key certificate.</t>
<t>Since CRED_R is used in the integrity verification, see <xref targe <t>Since CRED_R is used in the integrity verification (see <xref targe
t="asym-msg2-proc"/>, it needs to be specified such that it is identical when us t="asym-msg2-proc"/>), it needs to be specified such that it is identical when u
ed by Initiator or Responder. Similarly for CRED_I, see <xref target="asym-msg3- sed by the Initiator or Responder. Similarly for CRED_I, see <xref target="asym-
proc"/>. The Initiator and Responder are expected to agree on the specific encod msg3-proc"/>. The Initiator and Responder are expected to agree on the specific
ing of the authentication credentials, see <xref target="applicability"/>. It is encoding of the authentication credentials; see <xref target="applicability"/>.
RECOMMENDED that the COSE 'kid' parameter, when used to identify the authentica It is <bcp14>RECOMMENDED</bcp14> that the COSE 'kid' parameter, when used to ide
tion credential, refers to a such a specific encoding of the authentication cred ntify the authentication credential, refers to such a specific encoding of the a
ential. The Initiator and Responder SHOULD use an available authentication crede uthentication credential. The Initiator and Responder <bcp14>SHOULD</bcp14> use
ntial (transported in EDHOC or otherwise provisioned) without re-encoding. If fo an available authentication credential without re-encoding, i.e. an authenticati
r some reason re-encoding of the authentication credential may occur, then a pot on credential transported in EDHOC by value, or otherwise provisioned, <bcp14>SH
ential common encoding for CBOR based credentials is bytewise lexicographic orde OULD</bcp14> be used as is. If for some reason re-encoding of an authentication
r of their deterministic encodings as specified in Section 4.2.1 of <xref target credential passed by reference may occur, then a potential common encoding for C
="RFC8949"/>.</t> BOR-based credentials is deterministically encoded CBOR, as specified in Section
s <xref target="RFC8949" section="4.2.1" sectionFormat="bare"/> and <xref target
="RFC8949" section="4.2.2" sectionFormat="bare"/> of <xref target="RFC8949"/>.</
t>
<ul spacing="normal"> <ul spacing="normal">
<li>When the authentication credential is an X.509 certificate, CRED <li>When the authentication credential is an X.509 certificate, CRED
_x SHALL be the DER encoded certificate, encoded as a bstr <xref target="RFC9360 _x <bcp14>SHALL</bcp14> be the DER-encoded certificate, encoded as a bstr <xref
"/>.</li> target="RFC9360"/>.</li>
<li>When the authentication credential is a C509 certificate, CRED_x <li>When the authentication credential is a C509 certificate, CRED_x
SHALL be the C509Certificate <xref target="I-D.ietf-cose-cbor-encoded-cert"/>.< <bcp14>SHALL</bcp14> be the C509 certificate <xref target="I-D.ietf-cose-cbor-e
/li> ncoded-cert"/>.</li>
<li>When the authentication credential is a CWT including a COSE_Key <li>When the authentication credential is a CWT including a COSE_Key
, CRED_x SHALL be the untagged CWT.</li> , CRED_x <bcp14>SHALL</bcp14> be the untagged CWT.</li>
<li> <li>
<t>When the authentication credential includes a COSE_Key but is n ot in a CWT, CRED_x SHALL be an untagged CWT Claims Set (CCS). This is how RPKs are encoded, see <xref target="fig-ccs"/> for an example. <t>When the authentication credential includes a COSE_Key but is n ot in a CWT, CRED_x <bcp14>SHALL</bcp14> be an untagged CCS. This is how RPKs ar e encoded, see <xref target="fig-ccs"/> for an example.
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>Naked COSE_Keys are thus dressed as CCS when used in EDHOC, in its simplest form by prefixing the COSE_Key with 0xA108A101 (a map with a 'cn f' claim). In that case the resulting authentication credential contains no othe r identity than the public key itself, see <xref target="identities"/>.</li> <li>Naked COSE_Keys are thus dressed as CCS when used in EDHOC, in its simplest form by prefixing the COSE_Key with 0xA108A101 (a map with a 'cn f' claim). In that case, the resulting authentication credential contains no oth er identity than the public key itself; see <xref target="identities"/>.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>An example of CRED_x is shown below:</t> <t>An example of CRED_x is shown below:</t>
<figure anchor="fig-ccs"> <figure anchor="fig-ccs">
<name>CWT Claims Set (CCS) containing an X25519 static Diffie-Hellma n key and an EUI-64 identity.</name> <name>CCS Containing an X25519 Static Diffie-Hellman Key and an EUI- 64 Identity</name>
<artwork><![CDATA[ <artwork><![CDATA[
{ /CCS/ { /CCS/
2 : "42-50-31-FF-EF-37-32-39", /sub/ 2 : "42-50-31-FF-EF-37-32-39", /sub/
8 : { /cnf/ 8 : { /cnf/
1 : { /COSE_Key/ 1 : { /COSE_Key/
1 : 1, /kty/ 1 : 1, /kty/
2 : h'00', /kid/ 2 : h'00', /kid/
-1 : 4, /crv/ -1 : 4, /crv/
-2 : h'b1a3e89460e88d3a8d54211dc95f0b90 /x/ -2 : h'b1a3e89460e88d3a8d54211dc95f0b90 /x/
3ff205eb71912d6db8f4af980d2db83a' 3ff205eb71912d6db8f4af980d2db83a'
} }
} }
} }
]]></artwork> ]]></artwork>
</figure> </figure>
</section> </section>
<section anchor="id_cred"> <section anchor="id_cred">
<name>Identification of Credentials</name> <name>Identification of Credentials</name>
<t>The ID_CRED fields, ID_CRED_R and ID_CRED_I, are transported in mes sage_2 and message_3, respectively, see <xref target="asym-msg2-proc"/> and <xre f target="asym-msg3-proc"/>. <t>The ID_CRED fields, ID_CRED_R and ID_CRED_I, are transported in mes sage_2 and message_3, respectively; see Sections <xref target="asym-msg2-proc" f ormat="counter"/> and <xref target="asym-msg3-proc" format="counter"/>.
We use the notation ID_CRED_x to refer to ID_CRED_I or ID_CRED_R. We use the notation ID_CRED_x to refer to ID_CRED_I or ID_CRED_R.
Requirements on ID_CRED_x applies both to ID_CRED_I and to ID_CRED_R. Requirements on ID_CRED_x applies both to ID_CRED_I and to ID_CRED_R.
The ID_CRED fields are used to identify and optionally transport credentials:</t > The ID_CRED fields are used to identify and optionally transport credentials:</t >
<ul spacing="normal"> <ul spacing="normal">
<li>ID_CRED_R is intended to facilitate for the Initiator retrieving the authentication credential CRED_R and the authentication key of R.</li> <li>ID_CRED_R is intended to facilitate for the Initiator retrieving the authentication credential CRED_R and the authentication key of R.</li>
<li>ID_CRED_I is intended to facilitate for the Responder retrieving the authentication credential CRED_I and the authentication key of I.</li> <li>ID_CRED_I is intended to facilitate for the Responder retrieving the authentication credential CRED_I and the authentication key of I.</li>
</ul> </ul>
<t>ID_CRED_x may contain the authentication credential CRED_x, for x = <t>ID_CRED_x may contain the authentication credential CRED_x, for x =
I or R, but for many settings it is not necessary to transport the authenticati I or R, but for many settings, it is not necessary to transport the authenticat
on credential within EDHOC. For example, it may be pre-provisioned or acquired o ion credential within EDHOC. For example, it may be pre-provisioned or acquired
ut-of-band over less constrained links. ID_CRED_I and ID_CRED_R do not have any out-of-band over less constrained links. ID_CRED_I and ID_CRED_R do not have any
cryptographic purpose in EDHOC since the authentication credentials are integrit cryptographic purpose in EDHOC since the authentication credentials are integri
y protected.</t> ty protected by the Signature_or_MAC field.</t>
<t>EDHOC relies on COSE for identification of credentials and supports <t>EDHOC relies on COSE for identification of credentials and supports
all credential types for which COSE header parameters are defined including X.5 all credential types for which COSE header parameters are defined, including X.
09 certificates (<xref target="RFC9360"/>), C509 certificates (<xref target="I-D 509 certificates <xref target="RFC9360"/>, C509 certificates <xref target="I-D.i
.ietf-cose-cbor-encoded-cert"/>), CWT (see <xref target="new-header-param"/>) an etf-cose-cbor-encoded-cert"/>, CWTs (<xref target="new-header-param"/>) and CCSs
d CWT Claims Set (see <xref target="new-header-param"/>).</t> (<xref target="new-header-param"/>).</t>
<t>ID_CRED_I and ID_CRED_R are of type COSE header_map, as defined in <t>ID_CRED_I and ID_CRED_R are of type COSE header_map, as defined in
Section 3 of <xref target="RFC9052"/>, and contains one or more COSE header para <xref target="RFC9052" section="3" sectionFormat="of"/>, and contain one or more
meters. ID_CRED_I and ID_CRED_R MAY contain different header parameters. The hea COSE header parameters. If a map contains several header parameters, the labels
der parameters typically provide some information about the format of the creden do not need to be sorted in bytewise lexicographic order. ID_CRED_I and ID_CRED
tial.</t> _R <bcp14>MAY</bcp14> contain different header parameters. The header parameters
<t>Example: X.509 certificates can be identified by a hash value using typically provide some information about the format of the credential.</t>
the 'x5t' parameter, see Section 2 of <xref target="RFC9360"/>:</t> <t>Example: X.509 certificates can be identified by a hash value using
the 'x5t' parameter; see <xref target="RFC9360" section="2" sectionFormat="of"/
>:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R,</li> <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R</li>
</ul> </ul>
<t>Example: CWT or CCS can be identified by a key identifier using the 'kid' parameter, see Section 3.1 of <xref target="RFC9052"/>:</t> <t>Example: CWT or CCS can be identified by a key identifier using the 'kid' parameter; see <xref target="RFC9052" section="3.1" sectionFormat="of"/>: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R.</l i> <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R</li >
</ul> </ul>
<t>Note that COSE header parameters in ID_CRED_x are used to identify <t>Note that COSE header parameters in ID_CRED_x are used to identify
the message sender's credential. There is therefore no reason to use the "-sende the message sender's credential. Therefore, there is no reason to use the "-send
r" header parameters, such as x5t-sender, defined in Section 3 of <xref target=" er" header parameters, such as x5t-sender, defined in <xref target="RFC9360" sec
RFC9360"/>. Instead, the corresponding parameter without "-sender", such as x5t, tion="3" sectionFormat="of"/>. Instead, the corresponding parameter without "-se
SHOULD be used.</t> nder", such as x5t, <bcp14>SHOULD</bcp14> be used.</t>
<t>As stated in Section 3.1 of <xref target="RFC9052"/>, applications <t>As stated in <xref target="RFC9052" section="3.1" sectionFormat="of
MUST NOT assume that 'kid' values are unique and several keys associated with a "/>, applications <bcp14>MUST NOT</bcp14> assume that 'kid' values are unique an
'kid' may need to be checked before the correct one is found. Applications might d several keys associated with a 'kid' may need to be checked before the correct
use additional information such as 'kid context' or lower layers to determine w one is found. Applications might use additional information such as 'kid contex
hich key to try first. Applications should strive to make ID_CRED_x as unique as t' or lower layers to determine which key to try first. Applications should stri
possible, since the recipient may otherwise have to try several keys.</t> ve to make ID_CRED_x as unique as possible, since the recipient may otherwise ha
ve to try several keys.</t>
<t>See <xref target="COSE"/> for more examples.</t> <t>See <xref target="COSE"/> for more examples.</t>
<section anchor="new-header-param"> <section anchor="new-header-param">
<name>COSE Header Parameters for CWT and CWT Claims Set</name> <name>COSE Header Parameters for CWT and CWT Claims Set</name>
<t>This document registers two new COSE header parameters 'kcwt' and <t>This document registers two new COSE header parameters, 'kcwt' an
'kccs' for use with CBOR Web Token (CWT, <xref target="RFC8392"/>) and CWT Clai d 'kccs', for use with CBOR Web Token (CWT) <xref target="RFC8392"/> and CWT Cla
ms Set (CCS, <xref target="RFC8392"/>), respectively. The CWT/CCS MUST contain a ims Set (CCS) <xref target="RFC8392"/>, respectively. The CWT/CCS <bcp14>MUST</b
COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. There may be any number of cp14> contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. There may be
additional claims present in the CWT/CCS.</t> any number of additional claims present in the CWT/CCS.</t>
<t>CWTs sent in 'kcwt' are protected using a MAC or a signature and <t>CWTs sent in 'kcwt' are protected using a MAC or a signature and
are similar to a certificate (when with public key cryptography) or a Kerberos t are similar to a certificate (when used with public key cryptography) or a Kerbe
icket (when used with symmetric key cryptography). CCSs sent in 'kccs' are not p ros ticket (when used with symmetric key cryptography). CCSs sent in 'kccs' are
rotected and are therefore similar to raw public keys or self-signed certificate not protected and are therefore similar to raw public keys or self-signed certif
s.</t> icates.</t>
<t>Security considerations for 'kcwt' and 'kccs' are made in <xref t arget="impl-cons"/>.</t> <t>Security considerations for 'kcwt' and 'kccs' are made in <xref t arget="impl-cons"/>.</t>
</section> </section>
<section anchor="compact-kid"> <section anchor="compact-kid">
<name>Compact Encoding of ID_CRED Fields for 'kid'</name> <name>Compact Encoding of ID_CRED Fields for 'kid'</name>
<t>To comply with the LAKE message size requirements, see <xref targ et="I-D.ietf-lake-reqs"/>, two optimizations are made for the case when ID_CRED_ x, for x = I or R, contains a single 'kid' parameter.</t> <t>To comply with the Lightweight Authenticated Key Exchange (LAKE) message size requirements (see <xref target="I-D.ietf-lake-reqs"/>), two optimiz ations are made for the case when ID_CRED_x, for x = I or R, contains a single ' kid' parameter.</t>
<ol spacing="normal" type="1"><li>The CBOR map { 4 : kid_x } is repl aced by the byte string kid_x.</li> <ol spacing="normal" type="1"><li>The CBOR map { 4 : kid_x } is repl aced by the byte string kid_x.</li>
<li>The representation of identifiers specified in <xref target="b str-repr"/> is applied to kid_x.</li> <li>The representation of identifiers specified in <xref target="b str-repr"/> is applied to kid_x.</li>
</ol> </ol>
<t>These optimizations MUST be applied if and only if ID_CRED_x = { 4 : kid_x } and ID_CRED_x in PLAINTEXT_y of message_y, y = 2 or 3, see <xref tar get="asym-msg2-proc"/> and <xref target="asym-msg3-proc"/>. Note that these opti mizations are not applied to instances of ID_CRED_x which have no impact on mess age size, e.g., context_y, or the COSE protected header. Examples:</t> <t>These optimizations <bcp14>MUST</bcp14> be applied if and only if ID_CRED_x = { 4 : kid_x } and ID_CRED_x in PLAINTEXT_y of message_y, y = 2 or 3 ; see Sections <xref target="asym-msg2-proc" format="counter"/> and <xref target ="asym-msg3-proc" format="counter"/>. Note that these optimizations are not appl ied to instances of ID_CRED_x that have no impact on message size, e.g., context _y, or the COSE protected header. For example:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>For ID_CRED_x = { 4 : h'FF' }, the encoding in PLAINTEXT_y is not the CBOR map 0xA10441FF but the CBOR byte string h'FF', i.e., 0x41FF.</li> <li>For ID_CRED_x = { 4 : h'FF' }, the encoding in PLAINTEXT_y is not the CBOR map 0xA10441FF but the CBOR byte string h'FF', i.e., 0x41FF.</li>
<li>For ID_CRED_x = { 4 : h'21' }, the encoding in PLAINTEXT_y is neither the CBOR map 0xA1044121, nor the CBOR byte string h'21', i.e., 0x4121, b ut the CBOR integer 0x21.</li> <li>For ID_CRED_x = { 4 : h'21' }, the encoding in PLAINTEXT_y is neither the CBOR map 0xA1044121 nor the CBOR byte string h'21', i.e., 0x4121, bu t the CBOR integer 0x21.</li>
</ul> </ul>
</section> </section>
</section> </section>
</section> </section>
<section anchor="cs"> <section anchor="cs">
<name>Cipher Suites</name> <name>Cipher Suites</name>
<t>An EDHOC cipher suite consists of an ordered set of algorithms from t <t>An EDHOC cipher suite consists of an ordered set of algorithms from t
he "COSE Algorithms" and "COSE Elliptic Curves" registries as well as the EDHOC he "COSE Algorithms" and "COSE Elliptic Curves" registries as well as the EDHOC
MAC length. All algorithm names and definitions follow from COSE algorithms <xre MAC length. All algorithm names and definitions follow COSE Algorithms <xref tar
f target="RFC9053"/>. Note that COSE sometimes uses peculiar names such as ES256 get="RFC9053"/>. Note that COSE sometimes uses peculiar names such as ES256 for
for ECDSA with SHA-256, A128 for AES-128, and Ed25519 for the curve edwards2551 Elliptic Curve Digital Signature Algorithm (ECDSA) with SHA-256, A128 for AES-12
9. Algorithms need to be specified with enough parameters to make them completel 8, and Ed25519 for the curve edwards25519. Algorithms need to be specified with
y determined. The EDHOC MAC length MUST be at least 8 bytes. Any cryptographic a enough parameters to make them completely determined. The EDHOC MAC length <bcp1
lgorithm used in the COSE header parameters in ID_CRED fields is selected indepe 4>MUST</bcp14> be at least 8 bytes. Any cryptographic algorithm used in the COSE
ndently of the selected cipher suite. EDHOC is currently only specified for use header parameters in ID_CRED fields is selected independently of the selected c
with key exchange algorithms of type ECDH curves, but any Key Encapsulation Meth ipher suite. EDHOC is currently only specified for use with key exchange algorit
od (KEM), including Post-Quantum Cryptography (PQC) KEMs, can be used in method hms of type ECDH curves, but any Key Encapsulation Mechanism (KEM), including Po
0, see <xref target="pqc"/>. Use of other types of key exchange algorithms to re st-Quantum Cryptography (PQC) KEMs, can be used in method 0; see <xref target="p
place static DH authentication (method 1,2,3) would likely require a specificati qc"/>. Use of other types of key exchange algorithms to replace static DH authen
on updating EDHOC with new methods.</t> tication (methods 1, 2, and 3) would likely require a specification updating EDH
<t>EDHOC supports all signature algorithms defined by COSE. Just like in OC with new methods.</t>
(D)TLS 1.3 <xref target="RFC8446"/><xref target="RFC9147"/> and IKEv2 <xref tar <t>EDHOC supports all signature algorithms defined by COSE. Just like in
get="RFC7296"/>, a signature in COSE is determined by the signature algorithm an (D)TLS 1.3 <xref target="RFC8446"/> <xref target="RFC9147"/> and IKEv2 <xref ta
d the authentication key algorithm together, see <xref target="auth-keys"/>. The rget="RFC7296"/>, a signature in COSE is determined jointly by the signature alg
exact details of the authentication key algorithm depend on the type of authent orithm and the authentication key algorithm; see <xref target="auth-keys"/>. The
ication credential. COSE supports different formats for storing the public authe exact details of the authentication key algorithm depend on the type of authent
ntication keys including COSE_Key and X.509, which use different names and ways ication credential. COSE supports different formats for storing the public authe
to represent the authentication key and the authentication key algorithm.</t> ntication keys including COSE_Key and X.509, which use different names and ways
to represent the authentication key and the authentication key algorithm.</t>
<t>An EDHOC cipher suite consists of the following parameters:</t> <t>An EDHOC cipher suite consists of the following parameters:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>EDHOC AEAD algorithm</li> <li>EDHOC AEAD algorithm,</li>
<li>EDHOC hash algorithm</li> <li>EDHOC hash algorithm,</li>
<li>EDHOC MAC length in bytes (Static DH)</li> <li>EDHOC MAC length in bytes (Static DH),</li>
<li>EDHOC key exchange algorithm (ECDH curve)</li> <li>EDHOC key exchange algorithm (ECDH curve),</li>
<li>EDHOC signature algorithm</li> <li>EDHOC signature algorithm,</li>
<li>Application AEAD algorithm</li> <li>application AEAD algorithm, and</li>
<li>Application hash algorithm</li> <li>application hash algorithm.</li>
</ul> </ul>
<t>Each cipher suite is identified with a pre-defined integer label.</t> <t>Each cipher suite is identified with a predefined integer label.</t>
<t>EDHOC can be used with all algorithms and curves defined for COSE. Im <t>EDHOC can be used with all algorithms and curves defined for COSE. Im
plementations can either use any combination of COSE algorithms and parameters t plementations can either use any combination of COSE algorithms and parameters t
o define their own private cipher suite, or use one of the pre-defined cipher su o define their own private cipher suite or use one of the predefined cipher suit
ites. Private cipher suites can be identified with any of the four values -24, - es. Private cipher suites can be identified with any of the four values: -24, -2
23, -22, -21. The pre-defined cipher suites are listed in the IANA registry (<xr 3, -22, and -21. The predefined cipher suites are listed in the IANA registry (<
ef target="suites-registry"/>) with initial content outlined here:</t> xref target="suites-registry"/>) with the initial content outlined here:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Cipher suites 0-3, based on AES-CCM, are intended for constrained IoT where message overhead is a very important factor. Note that AES-CCM-16-64- 128 and AES-CCM-16-128-128 are compatible with the IEEE CCM* mode. <t>Cipher suites 0-3, based on AES-CCM, are intended for constrained IoT where message overhead is a very important factor. Note that AES-CCM-16-64- 128 and AES-CCM-16-128-128 are compatible with the IEEE AES-CCM* mode of operati on defined in Annex B of <xref target="IEEE.802.15.4-2015"/>.
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>Cipher suites 1 and 3 use a larger tag length (128-bit) in EDH OC than in the Application AEAD algorithm (64-bit).</li> <li>Cipher suites 1 and 3 use a larger tag length (128 bits) in ED HOC than in the application AEAD algorithm (64 bits).</li>
</ul> </ul>
</li> </li>
<li>Cipher suites 4 and 5, based on ChaCha20, are intended for less co nstrained applications and only use 128-bit tag lengths.</li> <li>Cipher suites 4 and 5, based on ChaCha20, are intended for less co nstrained applications and only use 128-bit tag lengths.</li>
<li>Cipher suite 6, based on AES-GCM, is for general non-constrained a <li>Cipher suite 6, based on AES-GCM, is for general non-constrained a
pplications. It consists of high performance algorithms that are widely used in pplications. It consists of high-performance algorithms that are widely used in
non-constrained applications.</li> non-constrained applications.</li>
<li>Cipher suites 24 and 25 are intended for high security application <li>Cipher suites 24 and 25 are intended for high security application
s such as government use and financial applications. These cipher suites do not s such as government use and financial applications. These cipher suites do not
share any algorithms. Cipher suite 24 consists of algorithms from the CNSA 1.0 s share any algorithms. Cipher suite 24 consists of algorithms from the Commercial
uite <xref target="CNSA"/>.</li> National Security Algorithm (CNSA) 1.0 suite <xref target="CNSA"/>.</li>
</ul> </ul>
<t>The different methods (<xref target="method"/>) use the same cipher s uites, but some algorithms are not used in some methods. The EDHOC signature alg orithm is not used in methods without signature authentication.</t> <t>The different methods (<xref target="method"/>) use the same cipher s uites, but some algorithms are not used in some methods. The EDHOC signature alg orithm is not used in methods without signature authentication.</t>
<t>The Initiator needs to have a list of cipher suites it supports in or der of preference. The Responder needs to have a list of cipher suites it suppor ts. SUITES_I contains cipher suites supported by the Initiator, formatted and pr ocessed as detailed in <xref target="asym-msg1-form"/> to secure the cipher suit e negotiation. Examples of cipher suite negotiation are given in <xref target="e x-neg"/>.</t> <t>The Initiator needs to have a list of cipher suites it supports in or der of preference. The Responder needs to have a list of cipher suites it suppor ts. SUITES_I contains cipher suites supported by the Initiator and formatted and processed as detailed in <xref target="asym-msg1-form"/> to secure the cipher s uite negotiation. Examples of cipher suite negotiation are given in <xref target ="ex-neg"/>.</t>
</section> </section>
<section anchor="cose_key"> <section anchor="cose_key">
<name>Ephemeral Public Keys</name> <name>Ephemeral Public Keys</name>
<t>The ephemeral public keys in EDHOC (G_X and G_Y) use compact represen tation of elliptic curve points, see <xref target="comrep"/>. In COSE, compact r epresentation is achieved by formatting the ECDH ephemeral public keys as COSE_K eys of type EC2 or OKP according to Sections 7.1 and 7.2 of <xref target="RFC905 3"/>, but only including the 'x' parameter in G_X and G_Y. For Elliptic Curve Ke ys of type EC2, compact representation MAY be used also in the COSE_Key. COSE al ways uses compact output for Elliptic Curve Keys of type EC2. If the COSE implem entation requires a 'y' parameter, the value y = false or a calculated y-coordin ate can be used, see <xref target="comrep"/>.</t> <t>The ephemeral public keys in EDHOC (G_X and G_Y) use compact represen tation of elliptic curve points; see <xref target="comrep"/>. In COSE, compact r epresentation is achieved by formatting the ECDH ephemeral public keys as COSE_K eys of type EC2 or Octet Key Pair (OKP) according to Sections <xref target="RFC9 053" section="7.1" sectionFormat="bare"/> and <xref target="RFC9053" section="7. 2" sectionFormat="bare"/> of <xref target="RFC9053"/> but only including the 'x' parameter in G_X and G_Y. For Elliptic Curve Keys of type EC2, compact represen tation <bcp14>MAY</bcp14> be used also in the COSE_Key. COSE always uses compact output for Elliptic Curve Keys of type EC2. If the COSE implementation requires a 'y' parameter, the value y = false or a calculated y-coordinate can be used; see <xref target="comrep"/>.</t>
</section> </section>
<section anchor="AD"> <section anchor="AD">
<name>External Authorization Data (EAD)</name> <name>External Authorization Data (EAD)</name>
<t>In order to reduce round trips and the number of messages, or to simp <t>In order to reduce round trips and the number of messages or to simpl
lify processing, external security applications may be integrated into EDHOC by ify processing, external security applications may be integrated into EDHOC by t
transporting authorization related data in the messages.</t> ransporting authorization-related data in the messages.</t>
<t>EDHOC allows processing of external authorization data (EAD) to be de <t>EDHOC allows processing of external authorization data (EAD) to be de
fined in a separate specification, and sent in dedicated fields of the four EDHO fined in a separate specification and sent in dedicated fields of the four EDHOC
C messages (EAD_1, EAD_2, EAD_3, EAD_4). EAD is opaque data to EDHOC.</t> messages: EAD_1, EAD_2, EAD_3, and EAD_4. EAD is opaque data to EDHOC.</t>
<t>Each EAD field, EAD_x for x = 1, 2, 3 or 4, is a CBOR sequence (see < <t>Each EAD field, EAD_x, for x = 1, 2, 3, or 4, is a CBOR sequence (see
xref target="CBOR"/>) consisting of one or more EAD items. An EAD item ead is a <xref target="CBOR"/>) consisting of one or more EAD items. EAD item ead is a C
CBOR sequence of an ead_label and an optional ead_value, see <xref target="fig-e BOR sequence of an ead_label and an optional ead_value; see <xref target="fig-ea
ad-item"/> and <xref target="CDDL"/> for the CDDL definitions.</t> d-item"/> and <xref target="CDDL"/> for the CDDL definitions.</t>
<figure anchor="fig-ead-item"> <figure anchor="fig-ead-item">
<name>EAD item.</name> <name>EAD Item</name>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="CDDL"><![CDATA[
ead = ( ead = (
ead_label : int, ead_label : int,
? ead_value : bstr, ? ead_value : bstr,
) )
]]></sourcecode> ]]></sourcecode>
</figure> </figure>
<t>A security application may register one or more EAD labels, see <xref <t>A security application may register one or more EAD labels (see <xref
target="iana-ead"/>, and specify the associated processing and security conside target="iana-ead"/>) and specify the associated processing and security conside
rations. The IANA registry contains the absolute value of the ead_label, |ead_la rations. The IANA registry contains the absolute value of the ead_label, |ead_la
bel|; the same ead_value applies independently of sign of ead_label.</t> bel|; the same ead_value applies independently of the sign of the ead_label.</t>
<t>An EAD item can be either critical or non-critical, determined by the <t>An EAD item can be either critical or non-critical, determined by the
sign of the ead_label in the EAD item transported in the EAD field. A negative sign of the ead_label in the EAD item transported in the EAD field. A negative
value indicates that the EAD item is critical and a non-negative value indicates value indicates that the EAD item is critical, and a nonnegative value indicates
that the EAD item is non-critical.</t> that the EAD item is non-critical.</t>
<t>If an endpoint receives a critical EAD item it does not recognize, or <t>If an endpoint receives a critical EAD item it does not recognize or
a critical EAD item that contains information that it cannot process, then the a critical EAD item that contains information that it cannot process, then the e
endpoint MUST send an EDHOC error message back as defined in <xref target="error ndpoint <bcp14>MUST</bcp14> send an EDHOC error message back as defined in <xref
"/>, and the EDHOC session MUST be aborted. The EAD item specification defines t target="error"/>, and the EDHOC session <bcp14>MUST</bcp14> be aborted. The EAD
he error processing. A non-critical EAD item can be ignored.</t> item specification defines the error processing. A non-critical EAD item can be
<t>The security application registering a new EAD item needs to describe ignored.</t>
under what conditions the EAD item is critical or non-critical, and thus whethe <t>The security application registering a new EAD item needs to describe
r the ead_label is used with negative or positive sign. ead_label = 0 is used fo under what conditions the EAD item is critical or non-critical, and thus whethe
r padding, see <xref target="padding"/>.</t> r the ead_label is used with a negative or positive sign. ead_label = 0 is used
for padding; see <xref target="padding"/>.</t>
<t>The security application may define multiple uses of certain EAD item s, e.g., the same EAD item may be used in different EDHOC messages. Multiple occ urrences of an EAD item in one EAD field may also be specified, but the critical ity of the repeated EAD item is expected to be the same.</t> <t>The security application may define multiple uses of certain EAD item s, e.g., the same EAD item may be used in different EDHOC messages. Multiple occ urrences of an EAD item in one EAD field may also be specified, but the critical ity of the repeated EAD item is expected to be the same.</t>
<t>The EAD fields of EDHOC MUST only be used with registered EAD items, see <xref target="iana-ead"/>. Examples of the use of EAD are provided in <xref target="ead-appendix"/>.</t> <t>The EAD fields of EDHOC <bcp14>MUST</bcp14> only be used with registe red EAD items; see <xref target="iana-ead"/>. Examples of the use of EAD are pro vided in <xref target="ead-appendix"/>.</t>
<section anchor="padding"> <section anchor="padding">
<name>Padding</name> <name>Padding</name>
<t>EDHOC message_1 and the plaintext of message_2, message_3 and messa <t>EDHOC message_1 and the plaintext of message_2, message_3, and mess
ge_4 can be padded with the use of the corresponding EAD_x field, for x = 1, 2, age_4 can be padded with the use of the corresponding EAD_x field, for x = 1, 2,
3, 4. Padding in EAD_1 mitigates amplification attacks (see <xref target="dos"/> 3, or 4. Padding in EAD_1 mitigates amplification attacks (see <xref target="do
), and padding in EAD_2, EAD_3, and EAD_4 hides the true length of the plaintext s"/>), and padding in EAD_2, EAD_3, and EAD_4 hides the true length of the plain
(see <xref target="internet-threat"/>). Padding MUST be ignored and discarded b text (see <xref target="internet-threat"/>). Padding <bcp14>MUST</bcp14> be igno
y the receiving application.</t> red and discarded by the receiving application.</t>
<t>Padding is obtained by using an EAD item with ead_label = 0 and a ( <t>Padding is obtained by using an EAD item with ead_label = 0 and a (
pseudo-)randomly generated byte string of appropriate length as ead_value, notin pseudo)randomly generated byte string of appropriate length as ead_value, noting
g that the ead_label and the CBOR encoding of ead_value also add bytes. Examples that the ead_label and the CBOR encoding of ead_value also add bytes. For examp
:</t> le:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>One byte padding (optional ead_value omitted): <t>One-byte padding (optional ead_value omitted):
</t> </t>
<ul spacing="normal"> <t>EAD_x = 0x00</t>
<li>EAD_x = 0x00</li>
</ul>
</li> </li>
<li> <li>
<t>Two bytes padding, using the empty byte string (0x40) as ead_va lue: <t>Two-byte padding, using the empty byte string (0x40) as ead_val ue:
</t> </t>
<ul spacing="normal"> <t>EAD_x = 0x0040</t>
<li>EAD_x = 0x0040</li>
</ul>
</li> </li>
<li> <li>
<t>Three bytes padding, constructed from the pseudorandomly genera ted ead_value 0xe9 encoded as byte string: <t>Three-byte padding, constructed from the pseudorandomly generat ed ead_value 0xe9 encoded as byte string:
</t> </t>
<ul spacing="normal"> <t>EAD_x = 0x0041e9</t>
<li>EAD_x = 0x0041e9</li>
</ul>
</li> </li>
</ul> </ul>
<t>Multiple occurrences of EAD items with ead_label = 0 are allowed. C ertain padding lengths require the use of at least two such EAD items.</t> <t>Multiple occurrences of EAD items with ead_label = 0 are allowed. C ertain padding lengths require the use of at least two such EAD items.</t>
<t>Note that padding is non-critical because the intended behaviour wh en receiving is to ignore it.</t> <t>Note that padding is non-critical because the intended behavior whe n receiving is to ignore it.</t>
</section> </section>
</section> </section>
<section anchor="applicability"> <section anchor="applicability">
<name>Application Profile</name> <name>Application Profile</name>
<t>EDHOC requires certain parameters to be agreed upon between Initiator <t>EDHOC requires certain parameters to be agreed upon between the Initi
and Responder. Some parameters can be negotiated through the protocol execution ator and Responder. Some parameters can be negotiated through the protocol execu
(specifically, cipher suite, see <xref target="cs"/>) but other parameters are tion (specifically, cipher suite; see <xref target="cs"/>), but other parameters
only communicated and may not be negotiated (e.g., which authentication method i are only communicated and may not be negotiated (e.g., which authentication met
s used, see <xref target="method"/>). Yet other parameters need to be known out- hod is used; see <xref target="method"/>). Yet, other parameters need to be know
of-band to ensure successful completion, e.g., whether message_4 is used or not. n out-of-band to ensure successful completion, e.g., whether message_4 is used o
The application decides which endpoint is Initiator and which is Responder.</t> r not. The application decides which endpoint is the Initiator and which is the
<t>The purpose of an application profile is to describe the intended use Responder.</t>
of EDHOC to allow for the relevant processing and verifications to be made, inc <t>The purpose of an application profile is to describe the intended use
luding things like:</t> of EDHOC to allow for the relevant processing and verifications to be made, inc
luding things like the following:</t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
<t>How the endpoint detects that an EDHOC message is received. This includes how EDHOC messages are transported, for example in the payload of a CoA P message with a certain Uri-Path or Content-Format; see <xref target="coap"/>. <t>How the endpoint detects that an EDHOC message is received. This includes how EDHOC messages are transported, for example, in the payload of a Co AP message with a certain Uri-Path or Content-Format; see <xref target="coap"/>.
</t> </t>
<ul spacing="normal"> <t>The method of transporting EDHOC messages may also describe dat
<li>The method of transporting EDHOC messages may also describe da a carried along with the messages that are needed for the transport to satisfy t
ta carried along with the messages that are needed for the transport to satisfy he requirements of <xref target="transport"/>, e.g., connection identifiers used
the requirements of <xref target="transport"/>, e.g., connection identifiers use with certain messages; see <xref target="coap"/>.</t>
d with certain messages, see <xref target="coap"/>.</li>
</ul>
</li> </li>
<li>Authentication method (METHOD; see <xref target="method"/>).</li> <li>Authentication method (METHOD; see <xref target="method"/>).</li>
<li>Profile for authentication credentials (CRED_I, CRED_R; see <xref <li>Profile for authentication credentials (CRED_I and CRED_R; see <xr
target="auth-cred"/>), e.g., profile for certificate or CCS, including supported ef target="auth-cred"/>), e.g., profile for certificate or CCS, including suppor
authentication key algorithms (subject public key algorithm in X.509 or C509 ce ted authentication key algorithms (subject public key algorithm in X.509 or C509
rtificate).</li> certificate).</li>
<li>Type used to identify credentials (ID_CRED_I, ID_CRED_R; see <xref <li>Type used to identify credentials (ID_CRED_I and ID_CRED_R; see <x
target="id_cred"/>).</li> ref target="id_cred"/>).</li>
<li>Use and type of external authorization data (EAD_1, EAD_2, EAD_3, <li>Use and type of external authorization data (EAD_1, EAD_2, EAD_3,
EAD_4; see <xref target="AD"/>).</li> and EAD_4; see <xref target="AD"/>).</li>
<li>Identifier used as the identity of the endpoint; see <xref target= "identities"/>.</li> <li>Identifier used as the identity of the endpoint; see <xref target= "identities"/>.</li>
<li>If message_4 shall be sent/expected, and if not, how to ensure a p rotected application message is sent from the Responder to the Initiator; see <x ref target="m4"/>.</li> <li>If message_4 shall be sent/expected, and if not, how to ensure a p rotected application message is sent from the Responder to the Initiator; see <x ref target="m4"/>.</li>
</ol> </ol>
<t>The application profile may also contain information about supported cipher suites. The procedure for selecting and verifying a cipher suite is still performed as described in <xref target="asym-msg1-form"/> and <xref target="wro ng-selected"/>, but it may become simplified by this knowledge. EDHOC messages c an be processed without the application profile, i.e., the EDHOC messages includ es information about the type and length of all fields.</t> <t>The application profile may also contain information about supported cipher suites. The procedure for selecting and verifying a cipher suite is still performed as described in Sections <xref target="asym-msg1-form" format="counte r"/> and <xref target="wrong-selected" format="counter"/>, but it may become sim plified by this knowledge. EDHOC messages can be processed without the applicati on profile, i.e., the EDHOC messages include information about the type and leng th of all fields.</t>
<t>An example of an application profile is shown in <xref target="appl-t emp"/>.</t> <t>An example of an application profile is shown in <xref target="appl-t emp"/>.</t>
<t>For some parameters, like METHOD, type of ID_CRED field or EAD, the r <t>For some parameters, like METHOD, the type of the ID_CRED field, or E
eceiver of an EDHOC message is able to verify compliance with the application pr AD, the receiver of an EDHOC message is able to verify compliance with the appli
ofile, and if it needs to fail because of lack of compliance, to infer the reaso cation profile and, if it needs to fail because of the lack of compliance, to in
n why the EDHOC session failed.</t> fer the reason why the EDHOC session failed.</t>
<t>For other encodings, like the profiling of CRED_x in the case that it <t>For other encodings, like the profiling of CRED_x in the case that it
is not transported, it may not be possible to verify that lack of compliance wi is not transported, it may not be possible to verify that the lack of complianc
th the application profile was the reason for failure: Integrity verification in e with the application profile was the reason for failure. For example, integrit
message_2 or message_3 may fail not only because of a wrong credential. For exa y verification in message_2 or message_3 may fail not only because of a wrong cr
mple, in case the Initiator uses a public key certificate by reference (i.e., no edential. For example, in case the Initiator uses a public key certificate by re
t transported within the protocol) then both endpoints need to use an identical ference (i.e., not transported within the protocol), then both endpoints need to
data structure as CRED_I or else the integrity verification will fail.</t> use an identical data structure as CRED_I or else the integrity verification wi
ll fail.</t>
<t>Note that it is not necessary for the endpoints to specify a single t ransport for the EDHOC messages. For example, a mix of CoAP and HTTP may be used along the path, and this may still allow correlation between messages.</t> <t>Note that it is not necessary for the endpoints to specify a single t ransport for the EDHOC messages. For example, a mix of CoAP and HTTP may be used along the path, and this may still allow correlation between messages.</t>
<t>The application profile may be dependent on the identity of the other <t>The application profile may be dependent on the identity of the other
endpoint, or other information carried in an EDHOC message, but it then applies endpoint or other information carried in an EDHOC message, but it then applies
only to the later phases of the protocol when such information is known. (The I only to the later phases of the protocol when such information is known. (The In
nitiator does not know the identity of the Responder before having verified mess itiator does not know the identity of the Responder before having verified messa
age_2, and the Responder does not know the identity of the Initiator before havi ge_2, and the Responder does not know the identity of the Initiator before havin
ng verified message_3.)</t> g verified message_3.)</t>
<t>Other conditions may be part of the application profile, such as what <t>Other conditions may be part of the application profile, such as what
is the target application or use (if there is more than one application/use) to is the target application or use (if there is more than one application/use) to
the extent that EDHOC can distinguish between them. In case multiple applicatio the extent that EDHOC can distinguish between them. In case multiple applicatio
n profiles are used, the receiver needs to be able to determine which is applica n profiles are used, the receiver needs to be able to determine which is applica
ble for a given EDHOC session, for example based on URI to which the EDHOC messa ble for a given EDHOC session, for example, based on the URI to which the EDHOC
ge is sent, or external authorization data type.</t> message is sent, or external authorization data type.</t>
</section> </section>
</section> </section>
<section anchor="key-der"> <section anchor="key-der">
<name>Key Derivation</name> <name>Key Derivation</name>
<section anchor="keys-for-edhoc-message-processing"> <section anchor="keys-for-edhoc-message-processing">
<name>Keys for EDHOC Message Processing</name> <name>Keys for EDHOC Message Processing</name>
<t>EDHOC uses Extract-and-Expand <xref target="RFC5869"/> with the EDHOC <t>EDHOC uses Extract-and-Expand <xref target="RFC5869"/> with the EDHOC
hash algorithm in the selected cipher suite to derive keys used in message proc hash algorithm in the selected cipher suite to derive keys used in message proc
essing. This section defines EDHOC_Extract (<xref target="extract"/>) and EDHOC_ essing. This section defines EDHOC_Extract (<xref target="extract"/>) and EDHOC_
Expand (<xref target="expand"/>), and how to use them to derive PRK_out (<xref t Expand (<xref target="expand"/>) and how to use them to derive PRK_out (<xref ta
arget="prkout"/>) which is the shared secret session key resulting from a comple rget="prkout"/>), which is the shared secret session key resulting from a comple
ted EDHOC session.</t> ted EDHOC session.</t>
<t>EDHOC_Extract is used to derive fixed-length uniformly pseudorandom k <t>EDHOC_Extract is used to derive fixed-length uniformly pseudorandom k
eys (PRK) from ECDH shared secrets. EDHOC_Expand is used to define EDHOC_KDF for eys (PRKs) from ECDH shared secrets. EDHOC_Expand is used to define EDHOC_KDF fo
generating MACs and for deriving output keying material (OKM) from PRKs.</t> r generating MACs and for deriving output keying material (OKM) from PRKs.</t>
<t>In EDHOC a specific message is protected with a certain pseudorandom <t>In EDHOC, a specific message is protected with a certain PRK, but how
key, but how the key is derived depends on the authentication method (<xref targ the key is derived depends on the authentication method (<xref target="method"/
et="method"/>) as detailed in <xref target="asym"/>.</t> >), as detailed in <xref target="asym"/>.</t>
<!-- A diagram of the EDHOC key schedule can be found in Figure 2 of {{V
ucinic22}}. TBD: Rewrite the diagram -->
<section anchor="extract"> <section anchor="extract">
<name>EDHOC_Extract</name> <name>EDHOC_Extract</name>
<t>The pseudorandom keys (PRKs) used for EDHOC message processing are derived using EDHOC_Extract:</t> <t>The pseudorandom keys (PRKs) used for EDHOC message processing are derived using EDHOC_Extract:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK = EDHOC_Extract( salt, IKM ) PRK = EDHOC_Extract( salt, IKM )
]]></artwork> ]]></artwork>
<t>where the input keying material (IKM) and salt are defined for each PRK below.</t> <t>where the input keying material (IKM) and salt are defined for each PRK below.</t>
<t>The definition of EDHOC_Extract depends on the EDHOC hash algorithm of the selected cipher suite:</t> <t>The definition of EDHOC_Extract depends on the EDHOC hash algorithm of the selected cipher suite:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>if the EDHOC hash algorithm is SHA-2, then EDHOC_Extract( salt, <li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Extract( salt,
IKM ) = HKDF-Extract( salt, IKM ) <xref target="RFC5869"/></li> IKM ) = HKDF-Extract( salt, IKM ) <xref target="RFC5869"/>.</li>
<li>if the EDHOC hash algorithm is SHAKE128, then EDHOC_Extract( sal <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Extract( sal
t, IKM ) = KMAC128( salt, IKM, 256, "" )</li> t, IKM ) = KMAC128( salt, IKM, 256, "" ).</li>
<li>if the EDHOC hash algorithm is SHAKE256, then EDHOC_Extract( sal <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Extract( sal
t, IKM ) = KMAC256( salt, IKM, 512, "" )</li> t, IKM ) = KMAC256( salt, IKM, 512, "" ).</li>
</ul> </ul>
<t>where the Keccak message authentication code (KMAC) is specified in <t>where the Keccak Message Authentication Code (KMAC) is specified in
<xref target="SP800-185"/>.</t> <xref target="SP800-185"/>.</t>
<t>The rest of the section defines the pseudorandom keys PRK_2e, PRK_3 <t>The rest of the section defines the pseudorandom keys PRK_2e, PRK_3
e2m and PRK_4e3m; their use is shown in <xref target="fig-edhoc-kdf"/>. The inde e2m, and PRK_4e3m; their use is shown in <xref target="fig-edhoc-kdf"/>. The ind
x of a PRK indicates its use or in what message protection operation it is invol ex of a PRK indicates its use or in what message protection operation it is invo
ved. For example, PRK_3e2m is involved in the encryption of message 3 and in cal lved. For example, PRK_3e2m is involved in the encryption of message 3 and in c
culating the MAC of message 2.</t> alculating the MAC of message 2.</t>
<section anchor="prk2e"> <section anchor="prk2e">
<name>PRK_2e</name> <name>PRK_2e</name>
<t>The pseudorandom key PRK_2e is derived with the following input:< /t> <t>The pseudorandom key PRK_2e is derived with the following input:< /t>
<ul spacing="normal"> <ul spacing="normal">
<li>The salt SHALL be TH_2.</li> <li>The salt <bcp14>SHALL</bcp14> be TH_2.</li>
<li>The IKM SHALL be the ephemeral-ephemeral ECDH shared secret G_ <li>The IKM <bcp14>SHALL</bcp14> be the ephemeral-ephemeral ECDH s
XY (calculated from G_X and Y or G_Y and X) as defined in <xref section="6.3.1" hared secret G_XY (calculated from G_X and Y or G_Y and X) as defined in <xref s
sectionFormat="of" target="RFC9053"/>. The use of G_XY gives forward secrecy, in ection="6.3.1" sectionFormat="of" target="RFC9053"/>. The use of G_XY gives forw
the sense that compromise of the private authentication keys does not compromis ard secrecy in the sense that compromise of the private authentication keys does
e past session keys.</li> not compromise past session keys.</li>
</ul> </ul>
<t>Example: Assuming the use of curve25519, the ECDH shared secret G _XY is the output of the X25519 function <xref target="RFC7748"/>:</t> <t>Example: Assuming the use of curve25519, the ECDH shared secret G _XY is the output of the X25519 function <xref target="RFC7748"/>:</t>
<artwork><![CDATA[ <artwork><![CDATA[
G_XY = X25519( Y, G_X ) = X25519( X, G_Y ) G_XY = X25519( Y, G_X ) = X25519( X, G_Y )
]]></artwork> ]]></artwork>
<t>Example: Assuming the use of SHA-256 the extract phase of HKDF pr oduces PRK_2e as follows:</t> <t>Example: Assuming the use of SHA-256, the extract phase of the ke y derivation function is HKDF-Extract, which produces PRK_2e as follows:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_2e = HMAC-SHA-256( TH_2, G_XY ) PRK_2e = HMAC-SHA-256( TH_2, G_XY )
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="prk3e2m"> <section anchor="prk3e2m">
<name>PRK_3e2m</name> <name>PRK_3e2m</name>
<t>The pseudorandom key PRK_3e2m is derived as follows:</t> <t>The pseudorandom key PRK_3e2m is derived as follows:</t>
<t>If the Responder authenticates with a static Diffie-Hellman key, then PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ), where</t> <t>If the Responder authenticates with a static Diffie-Hellman key, then PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ), where</t>
<ul spacing="normal"> <ul spacing="normal">
<li>SALT_3e2m is derived from PRK_2e, see <xref target="expand"/>, <li>SALT_3e2m is derived from PRK_2e (see <xref target="expand"/>)
and</li> and</li>
<li>G_RX is the ECDH shared secret calculated from G_R and X, or G <li>G_RX is the ECDH shared secret calculated from G_R and X, or G
_X and R (the Responder's private authentication key, see <xref target="auth-key _X and R (the Responder's private authentication key; see <xref target="auth-key
s"/>),</li> s"/>),</li>
</ul> </ul>
<t>else PRK_3e2m = PRK_2e.</t> <t>else PRK_3e2m = PRK_2e.</t>
</section> </section>
<section anchor="prk4e3m"> <section anchor="prk4e3m">
<name>PRK_4e3m</name> <name>PRK_4e3m</name>
<t>The pseudorandom key PRK_4e3m is derived as follows:</t> <t>The pseudorandom key PRK_4e3m is derived as follows:</t>
<t>If the Initiator authenticates with a static Diffie-Hellman key, then PRK_4e3m = EDHOC_Extract( SALT_4e3m, G_IY ), where</t> <t>If the Initiator authenticates with a static Diffie-Hellman key, then PRK_4e3m = EDHOC_Extract( SALT_4e3m, G_IY ), where</t>
<ul spacing="normal"> <ul spacing="normal">
<li>SALT_4e3m is derived from PRK_3e2m, see <xref target="expand"/ <li>SALT_4e3m is derived from PRK_3e2m (see <xref target="expand"/
>, and</li> >) and</li>
<li>G_IY is the ECDH shared secret calculated from G_I and Y, or G <li>G_IY is the ECDH shared secret calculated from G_I and Y, or G
_Y and I (the Initiator's private authentication key, see <xref target="auth-key _Y and I (the Initiator's private authentication key; see <xref target="auth-key
s"/>),</li> s"/>),</li>
</ul> </ul>
<t>else PRK_4e3m = PRK_3e2m.</t> <t>else PRK_4e3m = PRK_3e2m.</t>
</section> </section>
</section> </section>
<section anchor="expand"> <section anchor="expand">
<name>EDHOC_Expand and EDHOC_KDF</name> <name>EDHOC_Expand and EDHOC_KDF</name>
<t>The output keying material (OKM) - including keys, IVs, and salts - are derived from the PRKs using the EDHOC_KDF, which is defined through EDHOC_E xpand:</t> <t>The output keying material (OKM) -- including keys, initialization vectors (IVs), and salts -- are derived from the PRKs using the EDHOC_KDF, which is defined through EDHOC_Expand:</t>
<artwork><![CDATA[ <artwork><![CDATA[
OKM = EDHOC_KDF( PRK, info_label, context, length ) OKM = EDHOC_KDF( PRK, info_label, context, length )
= EDHOC_Expand( PRK, info, length ) = EDHOC_Expand( PRK, info, length )
]]></artwork> ]]></artwork>
<t>where info is encoded as the CBOR sequence</t> <t>where info is encoded as the CBOR sequence:</t>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="cbor"><![CDATA[
info = ( info = (
info_label : int, info_label : int,
context : bstr, context : bstr,
length : uint, length : uint,
) )
]]></sourcecode> ]]></sourcecode>
<t>where</t> <t>where:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>info_label is an int</li> <li>info_label is an int,</li>
<li>context is a bstr</li> <li>context is a bstr, and</li>
<li>length is the length of OKM in bytes</li> <li>length is the length of OKM in bytes.</li>
</ul> </ul>
<t>When EDHOC_KDF is used to derive OKM for EDHOC message processing, then context includes one of the transcript hashes TH_2, TH_3, or TH_4 defined i n Sections <xref target="asym-msg2-proc" format="counter"/> and <xref target="as ym-msg3-proc" format="counter"/>.</t> <t>When EDHOC_KDF is used to derive OKM for EDHOC message processing, then the context includes one of the transcript hashes, TH_2, TH_3, or TH_4, def ined in Sections <xref target="asym-msg2-proc" format="counter"/> and <xref targ et="asym-msg3-proc" format="counter"/>.</t>
<t>The definition of EDHOC_Expand depends on the EDHOC hash algorithm of the selected cipher suite:</t> <t>The definition of EDHOC_Expand depends on the EDHOC hash algorithm of the selected cipher suite:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>if the EDHOC hash algorithm is SHA-2, then EDHOC_Expand( PRK, in <li>If the EDHOC hash algorithm is SHA-2, then EDHOC_Expand( PRK, in
fo, length ) = HKDF-Expand( PRK, info, length ) <xref target="RFC5869"/></li> fo, length ) = HKDF-Expand( PRK, info, length ) <xref target="RFC5869"/>.</li>
<li>if the EDHOC hash algorithm is SHAKE128, then EDHOC_Expand( PRK, <li>If the EDHOC hash algorithm is SHAKE128, then EDHOC_Expand( PRK,
info, length ) = KMAC128( PRK, info, L, "" )</li> info, length ) = KMAC128( PRK, info, L, "" ).</li>
<li>if the EDHOC hash algorithm is SHAKE256, then EDHOC_Expand( PRK, <li>If the EDHOC hash algorithm is SHAKE256, then EDHOC_Expand( PRK,
info, length ) = KMAC256( PRK, info, L, "" )</li> info, length ) = KMAC256( PRK, info, L, "" ).</li>
</ul> </ul>
<t>where L = 8 <contact fullname="⋅"/> length, the output length in bi <t>where L = 8 length, the output length in bits.</t>
ts.</t> <t><xref target="fig-edhoc-kdf"/> lists derivations made with EDHOC_KD
<t><xref target="fig-edhoc-kdf"/> lists derivations made with EDHOC_KD F, where:</t>
F, where</t>
<ul spacing="normal"> <ul spacing="normal">
<li>hash_length - length of output size of the EDHOC hash algorithm <li>hash_length is the length of output size of the EDHOC hash algor
of the selected cipher suite</li> ithm of the selected cipher suite,</li>
<li>key_length - length of the encryption key of the EDHOC AEAD algo <li>key_length is the length of the encryption key of the EDHOC AEAD
rithm of the selected cipher suite</li> algorithm of the selected cipher suite, and</li>
<li>iv_length - length of the initialization vector of the EDHOC AEA <li>iv_length is the length of the initialization vector of the EDHO
D algorithm of the selected cipher suite</li> C AEAD algorithm of the selected cipher suite</li>
</ul> </ul>
<t>Further details of the key derivation and how the output keying mat erial is used are specified in <xref target="asym"/>.</t> <t>Further details of the key derivation and how the output keying mat erial is used are specified in <xref target="asym"/>.</t>
<figure anchor="fig-edhoc-kdf"> <figure anchor="fig-edhoc-kdf">
<name>Key derivations using EDHOC_KDF. h'' is CBOR diagnostic notati on for the empty byte string, 0x40.</name> <name>Key Derivations Using EDHOC_KDF</name>
<artwork align="center"><![CDATA[ <artwork align="center"><![CDATA[
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length )
SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length ) SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length )
MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 ) MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length )
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length )
SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length ) SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length )
MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 ) MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length )
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length )
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length )
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
]]></artwork> ]]></artwork>
</figure> </figure>
<t>h'' is CBOR diagnostic notation for the empty byte string, 0x40.</t>
</section> </section>
<section anchor="prkout"> <section anchor="prkout">
<name>PRK_out</name> <name>PRK_out</name>
<t>The pseudorandom key PRK_out, derived as shown in <xref target="fig -edhoc-kdf"/>, is the output session key of a completed EDHOC session.</t> <t>The pseudorandom key PRK_out, derived as shown in <xref target="fig -edhoc-kdf"/>, is the output session key of a completed EDHOC session.</t>
<t>Keys for applications are derived using EDHOC_Exporter (see <xref t arget="exporter"/>) from PRK_exporter, which in turn is derived from PRK_out as shown in <xref target="fig-edhoc-kdf"/>. For the purpose of generating applicati on keys, it is sufficient to store PRK_out or PRK_exporter. (Note that the word "store" used here does not imply that the application has access to the plaintex t PRK_out since that may be reserved for code within a Trusted Execution Environ ment, see <xref target="impl-cons"/>).</t> <t>Keys for applications are derived using EDHOC_Exporter (see <xref t arget="exporter"/>) from PRK_exporter, which in turn is derived from PRK_out as shown in <xref target="fig-edhoc-kdf"/>. For the purpose of generating applicati on keys, it is sufficient to store PRK_out or PRK_exporter. (Note that the word "store" used here does not imply that the application has access to the plaintex t PRK_out since that may be reserved for code within a Trusted Execution Environ ment (TEE); see <xref target="impl-cons"/>.)</t>
</section> </section>
</section> </section>
<section anchor="keys-for-edhoc-applications"> <section anchor="keys-for-edhoc-applications">
<name>Keys for EDHOC Applications</name> <name>Keys for EDHOC Applications</name>
<t>This section defines EDHOC_Exporter in terms of EDHOC_KDF and PRK_exp orter. A key update function is defined in <xref target="keyupdate"/>.</t> <t>This section defines EDHOC_Exporter in terms of EDHOC_KDF and PRK_exp orter. A key update function is defined in <xref target="keyupdate"/>.</t>
<section anchor="exporter"> <section anchor="exporter">
<name>EDHOC_Exporter</name> <name>EDHOC_Exporter</name>
<t>Keying material for the application can be derived using the EDHOC_ Exporter interface defined as:</t> <t>Keying material for the application can be derived using the EDHOC_ Exporter interface defined as:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EDHOC_Exporter(exporter_label, context, length) EDHOC_Exporter(exporter_label, context, length)
= EDHOC_KDF(PRK_exporter, exporter_label, context, length) = EDHOC_KDF(PRK_exporter, exporter_label, context, length)
]]></artwork> ]]></artwork>
<t>where</t> <t>where:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>exporter_label is a registered uint from the EDHOC_Exporter Labe <li>exporter_label is a registered uint from the "EDHOC Exporter Lab
l registry (<xref target="exporter-label"/>)</li> els" registry (<xref target="exporter-label"/>),</li>
<li>context is a bstr defined by the application</li> <li>context is a bstr defined by the application, and</li>
<li>length is a uint defined by the application</li> <li>length is a uint defined by the application.</li>
</ul> </ul>
<t>The (exporter_label, context) pair used in EDHOC_Exporter must be u nique, i.e., an (exporter_label, context) MUST NOT be used for two different pur poses. However, an application can re-derive the same key several times as long as it is done securely. For example, in most encryption algorithms the same key can be reused with different nonces. The context can for example be the empty CB OR byte string.</t> <t>The (exporter_label, context) pair used in EDHOC_Exporter must be u nique, i.e., an (exporter_label, context) <bcp14>MUST NOT</bcp14> be used for tw o different purposes. However, an application can re-derive the same key several times as long as it is done securely. For example, in most encryption algorithm s, the same key can be reused with different nonces. The context can, for exampl e, be the empty CBOR byte string.</t>
<t>Examples of use of the EDHOC_Exporter are given in <xref target="tr ansfer"/>.</t> <t>Examples of use of the EDHOC_Exporter are given in <xref target="tr ansfer"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="asym"> <section anchor="asym">
<name>Message Formatting and Processing</name> <name>Message Formatting and Processing</name>
<t>This section specifies formatting of the messages and processing steps. <t>This section specifies formatting of the messages and processing steps.
Error messages are specified in <xref target="error"/>. Annotated traces of EDH Error messages are specified in <xref target="error"/>. Annotated traces of EDH
OC sessions are provided in <xref target="I-D.ietf-lake-traces"/>.</t> OC sessions are provided in <xref target="RFC9529"/>.</t>
<t>An EDHOC message is encoded as a sequence of CBOR data items (CBOR Sequ <t>An EDHOC message is encoded as a sequence of CBOR data items (CBOR Sequ
ence, <xref target="RFC8742"/>). ence <xref target="RFC8742"/>).
Additional optimizations are made to reduce message overhead.</t> Additional optimizations are made to reduce message overhead.</t>
<t>While EDHOC uses the COSE_Key, COSE_Sign1, and COSE_Encrypt0 structures , only a subset of the parameters is included in the EDHOC messages, see <xref t arget="COSE"/>. In order to recreate the COSE object, the recipient endpoint may need to add parameters to the COSE headers not included in the EDHOC message, f or example the parameter 'alg' to COSE_Sign1 or COSE_Encrypt0.</t> <t>While EDHOC uses the COSE_Key, COSE_Sign1, and COSE_Encrypt0 structures , only a subset of the parameters is included in the EDHOC messages; see <xref t arget="COSE"/>. In order to recreate the COSE object, the recipient endpoint may need to add parameters to the COSE headers not included in the EDHOC message, f or example, the parameter 'alg' to COSE_Sign1 or COSE_Encrypt0.</t>
<section anchor="proc-outline"> <section anchor="proc-outline">
<name>EDHOC Message Processing Outline</name> <name>EDHOC Message Processing Outline</name>
<t>For each new/ongoing EDHOC session, the endpoints are assumed to keep <t>For each new/ongoing EDHOC session, the endpoints are assumed to keep
an associated protocol state containing identifiers, keying material, etc. used an associated protocol state containing identifiers, keying material, etc. used
for subsequent processing of protocol related data. The protocol state is assum for subsequent processing of protocol-related data. The protocol state is assum
ed to be associated with an application profile (<xref target="applicability"/>) ed to be associated with an application profile (<xref target="applicability"/>)
which provides the context for how messages are transported, identified, and pr that provides the context for how messages are transported, identified, and pro
ocessed.</t> cessed.</t>
<t>EDHOC messages SHALL be processed according to the current protocol s <t>EDHOC messages <bcp14>SHALL</bcp14> be processed according to the cur
tate. The following steps are expected to be performed at reception of an EDHOC rent protocol state. The following steps are expected to be performed at recepti
message:</t> on of an EDHOC message:</t>
<ol spacing="normal" type="1"><li>Detect that an EDHOC message has been <ol spacing="normal" type="1"><li>Detect that an EDHOC message has been
received, for example by means of port number, URI, or media type (<xref target= received, for example, by means of a port number, URI, or media type (<xref targ
"applicability"/>).</li> et="applicability"/>).</li>
<li>Retrieve the protocol state according to the message correlation, <li>Retrieve the protocol state according to the message correlation;
see <xref target="ci-edhoc"/>. If there is no protocol state, in the case of mes see <xref target="ci-edhoc"/>. If there is no protocol state, in the case of mes
sage_1, a new protocol state is created. The Responder endpoint needs to make us sage_1, a new protocol state is created. The Responder endpoint needs to make us
e of available denial-of-service mitigation (<xref target="dos"/>).</li> e of available denial-of-service mitigation (<xref target="dos"/>).</li>
<li>If the message received is an error message, then process it accor ding to <xref target="error"/>, else process it as the expected next message acc ording to the protocol state.</li> <li>If the message received is an error message, then process it accor ding to <xref target="error"/>, else process it as the expected next message acc ording to the protocol state.</li>
</ol> </ol>
<t>The message processing steps SHALL be processed in order, unless othe <t>The message processing steps <bcp14>SHALL</bcp14> be processed in ord
rwise stated. If the processing fails for some reason then, typically, an error er, unless otherwise stated. If the processing fails for some reason, then typic
message is sent, the EDHOC session is aborted, and the protocol state erased. Wh ally an error message is sent, the EDHOC session is aborted, and the protocol st
en the composition and sending of one message is completed and before the next m ate is erased. When the composition and sending of one message is completed and
essage is received, error messages SHALL NOT be sent.</t> before the next message is received, error messages <bcp14>SHALL NOT</bcp14> be
<t>After having successfully processed the last message (message_3 or me sent.</t>
ssage_4 depending on application profile) the EDHOC session is completed, after <t>After having successfully processed the last message (message_3 or me
which no error messages are sent and EDHOC session output MAY be maintained even ssage_4 depending on application profile), the EDHOC session is completed; after
if error messages are received. Further details are provided in the following s which, no error messages are sent and EDHOC session output <bcp14>MAY</bcp14> b
ubsections and in <xref target="error"/>.</t> e maintained even if error messages are received. Further details are provided i
<t>Different instances of the same message MUST NOT be processed in one n the following subsections and in <xref target="error"/>.</t>
EDHOC session. Note that processing will fail if the same message appears a sec <t>Different instances of the same message <bcp14>MUST NOT</bcp14> be pr
ond time for EDHOC processing in the same EDHOC session because the state of the ocessed in one EDHOC session. Note that processing will fail if the same messag
protocol has moved on and now expects something else. Message deduplication MUS e appears a second time for EDHOC processing in the same EDHOC session because t
T be done by the transport protocol (see <xref target="transport"/>) or, if not he state of the protocol has moved on and now expects something else. Message de
supported by the transport, as described in <xref target="duplication"/>.</t> duplication <bcp14>MUST</bcp14> be done by the transport protocol (see <xref tar
get="transport"/>) or, if not supported by the transport, as described in <xref
target="duplication"/>.</t>
</section> </section>
<section anchor="m1"> <section anchor="m1">
<name>EDHOC Message 1</name> <name>EDHOC Message 1</name>
<section anchor="asym-msg1-form"> <section anchor="asym-msg1-form">
<name>Formatting of Message 1</name> <name>Formatting of Message 1</name>
<t>message_1 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d <t>message_1 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target
efined below</t> ="CBOR"/>), as defined below.</t>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="cbor"><![CDATA[
message_1 = ( message_1 = (
METHOD : int, METHOD : int,
SUITES_I : suites, SUITES_I : suites,
G_X : bstr, G_X : bstr,
C_I : bstr / -24..23, C_I : bstr / -24..23,
? EAD_1, ? EAD_1,
) )
suites = [ 2* int ] / int suites = [ 2* int ] / int
EAD_1 = 1* ead EAD_1 = 1* ead
]]></sourcecode> ]]></sourcecode>
<t>where:</t> <t>where:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>METHOD - authentication method, see <xref target="method"/>.</li <li>METHOD is an authentication method; see <xref target="method"/>,
> </li>
<li>SUITES_I - array of cipher suites which the Initiator supports c <li>SUITES_I is an array of cipher suites that the Initiator support
onstructed as specified in <xref target="init-proc-msg1"/>.</li> s constructed as specified in <xref target="init-proc-msg1"/>,</li>
<li>G_X - the ephemeral public key of the Initiator</li> <li>G_X is the ephemeral public key of the Initiator, and</li>
<li>C_I - variable length connection identifier. Note that connectio <li>C_I is a variable-length connection identifier (note that connec
n identifiers are byte strings but certain values are represented as integers in tion identifiers are byte strings but certain values are represented as integers
the message, see <xref target="bstr-repr"/>.</li> in the message; see <xref target="bstr-repr"/>), and</li>
<li>EAD_1 - external authorization data, see <xref target="AD"/>.</l <li>EAD_1 is external authorization data; see <xref target="AD"/>.</
i> li>
</ul> </ul>
</section> </section>
<section anchor="init-proc-msg1"> <section anchor="init-proc-msg1">
<name>Initiator Composition of Message 1</name> <name>Initiator Composition of Message 1</name>
<t>The processing steps are detailed below and in <xref target="wrong- selected"/>.</t> <t>The processing steps are detailed below and in <xref target="wrong- selected"/>.</t>
<t>The Initiator SHALL compose message_1 as follows:</t> <t>The Initiator <bcp14>SHALL</bcp14> compose message_1 as follows:</t >
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Construct SUITES_I as an array of cipher suites supported by I in order of preference by I with the first cipher suite in the array being the m ost preferred by I, and the last being the one selected by I for this EDHOC sess ion. If the cipher suite most preferred by I is selected then SUITES_I contains only that cipher suite and is encoded as an int. All cipher suites, if any, pref erred by I over the selected one MUST be included. (See also <xref target="wrong -selected"/>.) <t>Construct SUITES_I as an array of cipher suites supported by I in order of preference by I with the first cipher suite in the array being the m ost preferred by I and the last being the one selected by I for this EDHOC sessi on. If the cipher suite most preferred by I is selected, then SUITES_I contains only that cipher suite and is encoded as an int. All cipher suites, if any, pref erred by I over the selected one <bcp14>MUST</bcp14> be included. (See also <xre f target="wrong-selected"/>.)
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>The selected suite is based on what the Initiator can assume <li>The selected suite is based on what the Initiator can assume
to be supported by the Responder; if the Initiator previously received from the to be supported by the Responder; if the Initiator previously received from the
Responder an error message with error code 2 containing SUITES_R (see <xref tar Responder an error message with error code 2 containing SUITES_R (see <xref tar
get="wrong-selected"/>) indicating cipher suites supported by the Responder, the get="wrong-selected"/>) indicating cipher suites supported by the Responder, the
n the Initiator SHOULD select its most preferred supported cipher suite among th n the Initiator <bcp14>SHOULD</bcp14> select its most preferred supported cipher
ose (bearing in mind that error messages may be forged).</li> suite among those (bearing in mind that error messages may be forged).</li>
<li>The Initiator MUST NOT change its order of preference for ci <li>The Initiator <bcp14>MUST NOT</bcp14> change its order of pr
pher suites, and MUST NOT omit a cipher suite preferred to the selected one beca eference for cipher suites and <bcp14>MUST NOT</bcp14> omit a cipher suite prefe
use of previous error messages received from the Responder.</li> rred to the selected one because of previous error messages received from the Re
sponder.</li>
</ul> </ul>
</li> </li>
<li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_X be the 'x' parameter of th e COSE_Key.</li> <li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_X be the 'x' parameter of th e COSE_Key.</li>
<li>Choose a connection identifier C_I and store it during the EDHOC session.</li> <li>Choose a connection identifier C_I and store it during the EDHOC session.</li>
<li>Encode message_1 as a sequence of CBOR encoded data items as spe cified in <xref target="asym-msg1-form"/></li> <li>Encode message_1 as a sequence of CBOR-encoded data items as spe cified in <xref target="asym-msg1-form"/></li>
</ul> </ul>
</section> </section>
<section anchor="resp-proc-msg1"> <section anchor="resp-proc-msg1">
<name>Responder Processing of Message 1</name> <name>Responder Processing of Message 1</name>
<t>The Responder SHALL process message_1 in the following order:</t> <t>The Responder <bcp14>SHALL</bcp14> process message_1 in the followi
<ul spacing="normal"> ng order:</t>
<ol spacing="normal">
<li>Decode message_1 (see <xref target="CBOR"/>).</li> <li>Decode message_1 (see <xref target="CBOR"/>).</li>
<li>Process message_1, in particular verify that the selected cipher suite is supported and that no prior cipher suite as ordered in SUITES_I is sup ported.</li> <li>Process message_1. In particular, verify that the selected ciphe r suite is supported and that no prior cipher suite as ordered in SUITES_I is su pported.</li>
<li>If all processing completed successfully, and if EAD_1 is presen t, then make it available to the application for EAD processing.</li> <li>If all processing completed successfully, and if EAD_1 is presen t, then make it available to the application for EAD processing.</li>
</ul> </ol>
<t>If any processing step fails, then the Responder MUST send an EDHOC <t>If any processing step fails, then the Responder <bcp14>MUST</bcp14
error message back as defined in <xref target="error"/>, and the EDHOC session > send an EDHOC error message back as defined in <xref target="error"/>, and the
MUST be aborted.</t> EDHOC session <bcp14>MUST</bcp14> be aborted.</t>
</section> </section>
</section> </section>
<section anchor="m2"> <section anchor="m2">
<name>EDHOC Message 2</name> <name>EDHOC Message 2</name>
<section anchor="asym-msg2-form"> <section anchor="asym-msg2-form">
<name>Formatting of Message 2</name> <name>Formatting of Message 2</name>
<t>message_2 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d <t>message_2 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target
efined below</t> ="CBOR"/>), as defined below.</t>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="cbor"><![CDATA[
message_2 = ( message_2 = (
G_Y_CIPHERTEXT_2 : bstr, G_Y_CIPHERTEXT_2 : bstr,
) )
]]></sourcecode> ]]></sourcecode>
<t>where:</t> <t>where:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>G_Y_CIPHERTEXT_2 - the concatenation of G_Y (i.e., the ephemeral public key of the Responder) and CIPHERTEXT_2.</li> <li>G_Y_CIPHERTEXT_2 is the concatenation of G_Y (i.e., the ephemera l public key of the Responder) and CIPHERTEXT_2.</li>
</ul> </ul>
</section> </section>
<section anchor="asym-msg2-proc"> <section anchor="asym-msg2-proc">
<name>Responder Composition of Message 2</name> <name>Responder Composition of Message 2</name>
<t>The Responder SHALL compose message_2 as follows:</t> <t>The Responder <bcp14>SHALL</bcp14> compose message_2 as follows:</t >
<ul spacing="normal"> <ul spacing="normal">
<li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_Y be the 'x' parameter of th e COSE_Key.</li> <li>Generate an ephemeral ECDH key pair using the curve in the selec ted cipher suite and format it as a COSE_Key. Let G_Y be the 'x' parameter of th e COSE_Key.</li>
<li>Choose a connection identifier C_R and store it for the length o f the EDHOC session.</li> <li>Choose a connection identifier C_R and store it for the length o f the EDHOC session.</li>
<li>Compute the transcript hash TH_2 = H( G_Y, H(message_1) ) where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the h ash function is a CBOR Sequence. Note that H(message_1) can be computed and cach ed already in the processing of message_1.</li> <li>Compute the transcript hash TH_2 = H( G_Y, H(message_1) ), where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that H(message_1) can be computed and cac hed already in the processing of message_1.</li>
<li> <li>
<t>Compute MAC_2 as in <xref target="expand"/> with context_2 = &l t;&lt; ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt; (see <xref target="CBOR"/> for notation) <t>Compute MAC_2 as in <xref target="expand"/> with context_2 = &l t;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt; (see <xref target="CBOR"/> for notation).
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then mac_length_2 is the EDHOC MAC length of the sel ected cipher suite. If the Responder authenticates with a signature key (method equals 0 or 2), then mac_length_2 is equal to hash_length.</li> <li>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then mac_length_2 is the EDHOC MAC length of the sel ected cipher suite. If the Responder authenticates with a signature key (method equals 0 or 2), then mac_length_2 is equal to hash_length.</li>
<li>ID_CRED_R - identifier to facilitate the retrieval of CRED_R <li>C_R is a variable-length connection identifier. Note that co
, see <xref target="id_cred"/></li> nnection identifiers are byte strings but certain values are represented as inte
<li>CRED_R - CBOR item containing the authentication credential gers in the message; see <xref target="bstr-repr"/>.</li>
of the Responder, see <xref target="auth-cred"/></li> <li>ID_CRED_R is an identifier to facilitate the retrieval of CR
<li>EAD_2 - external authorization data, see <xref target="AD"/> ED_R; see <xref target="id_cred"/>.</li>
</li> <li>CRED_R is a CBOR item containing the authentication credenti
al of the Responder; see <xref target="auth-cred"/>.</li>
<li>EAD_2 is external authorization data; see <xref target="AD"/
>.</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then Signature_or_MAC_2 is MAC_2. If the Responder auth enticates with a signature key (method equals 0 or 2), then Signature_or_MAC_2 i s the 'signature' field of a COSE_Sign1 object, computed as specified in Section 4.4 of <xref target="RFC9053"/> using the signature algorithm of the selected c ipher suite, the private authentication key of the Responder, and the following parameters as input (see <xref target="COSE"/> for an overview of COSE and <xref target="CBOR"/> for notation): </t> <t>If the Responder authenticates with a static Diffie-Hellman key (method equals 1 or 3), then Signature_or_MAC_2 is MAC_2. If the Responder auth enticates with a signature key (method equals 0 or 2), then Signature_or_MAC_2 i s the 'signature' field of a COSE_Sign1 object, computed as specified in <xref t arget="RFC9052" section="4.4" sectionFormat="of"/> using the signature algorithm of the selected cipher suite, the private authentication key of the Responder, and the following parameters as input (see <xref target="COSE"/> for an overview of COSE and <xref target="CBOR"/> for notation): </t>
<ul spacing="normal"> <ul spacing="normal">
<li>protected = &lt;&lt; ID_CRED_R &gt;&gt;</li> <li>protected = &lt;&lt; ID_CRED_R &gt;&gt;</li>
<li>external_aad = &lt;&lt; TH_2, CRED_R, ? EAD_2 &gt;&gt;</li> <li>external_aad = &lt;&lt; TH_2, CRED_R, ? EAD_2 &gt;&gt;</li>
<li>payload = MAC_2</li> <li>payload = MAC_2</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>CIPHERTEXT_2 is calculated with a binary additive stream cipher , using a keystream generated with EDHOC_Expand, and the following plaintext: < /t> <t>CIPHERTEXT_2 is calculated with a binary additive stream cipher , using a keystream generated with EDHOC_Expand and the following plaintext: </ t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>PLAINTEXT_2 = ( C_R, ID_CRED_R / bstr / -24..23, Signature_ or_MAC_2, ? EAD_2 ) </t> <t>PLAINTEXT_2 = ( C_R, ID_CRED_R / bstr / -24..23, Signature_ or_MAC_2, ? EAD_2 ) </t>
<ul spacing="normal"> <ul spacing="normal">
<li>If ID_CRED_R contains a single 'kid' parameter, i.e., ID <li>If ID_CRED_R contains a single 'kid' parameter, i.e., ID
_CRED_R = { 4 : kid_R }, then the compact encoding is applied, see <xref target= _CRED_R = { 4 : kid_R }, then the compact encoding is applied; see <xref target=
"compact-kid"/>.</li> "compact-kid"/>.</li>
<li>C_R - variable length connection identifier. Note that c <li>C_R is the variable-length connection identifier. Note t
onnection identifiers are byte strings but certain values are represented as int hat connection identifiers are byte strings, but certain values are represented
egers in the message, see <xref target="bstr-repr"/>.</li> as integers in the message; see <xref target="bstr-repr"/>.</li>
</ul> </ul>
</li> </li>
<li>Compute KEYSTREAM_2 as in <xref target="expand"/>, where pla intext_length is the length of PLAINTEXT_2. For the case of plaintext_length exc eeding the EDHOC_KDF output size, see <xref target="large-plaintext_2"/>.</li> <li>Compute KEYSTREAM_2 as in <xref target="expand"/>, where pla intext_length is the length of PLAINTEXT_2. For the case of plaintext_length exc eeding the EDHOC_KDF output size, see <xref target="large-plaintext_2"/>.</li>
<li>CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2</li> <li>CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2</li>
</ul> </ul>
</li> </li>
<li>Encode message_2 as a sequence of CBOR encoded data items as spe cified in <xref target="asym-msg2-form"/>.</li> <li>Encode message_2 as a sequence of CBOR-encoded data items as spe cified in <xref target="asym-msg2-form"/>.</li>
</ul> </ul>
</section> </section>
<section anchor="initiator-processing-of-message-2"> <section anchor="initiator-processing-of-message-2">
<name>Initiator Processing of Message 2</name> <name>Initiator Processing of Message 2</name>
<t>The Initiator SHALL process message_2 in the following order:</t> <t>The Initiator <bcp14>SHALL</bcp14> process message_2 in the followi
<ul spacing="normal"> ng order:</t>
<ol spacing="normal">
<li>Decode message_2 (see <xref target="CBOR"/>).</li> <li>Decode message_2 (see <xref target="CBOR"/>).</li>
<li>Retrieve the protocol state using available message correlation <li>Retrieve the protocol state using available message correlation
(e.g., the CoAP Token, the 5-tuple, or the prepended C_I, see <xref target="ci-e (e.g., the CoAP Token, the 5-tuple, or the prepended C_I; see <xref target="ci-e
dhoc"/>).</li> dhoc"/>).</li>
<li>Decrypt CIPHERTEXT_2, see <xref target="asym-msg2-proc"/>.</li> <li>Decrypt CIPHERTEXT_2; see <xref target="asym-msg2-proc"/>.</li>
<li>If all processing completed successfully, then make ID_CRED_R an <li>If all processing is completed successfully, then make ID_CRED_R
d (if present) EAD_2 available to the application for authentication- and EAD pr and (if present) EAD_2 available to the application for authentication and EAD
ocessing. When and how to perform authentication is up to the application.</li> processing. When and how to perform authentication is up to the application.</li
>
<li>Obtain the authentication credential (CRED_R) and the authentica tion key of R from the application (or by other means).</li> <li>Obtain the authentication credential (CRED_R) and the authentica tion key of R from the application (or by other means).</li>
<li>Verify Signature_or_MAC_2 using the algorithm in the selected ci <li>Verify Signature_or_MAC_2 using the algorithm in the selected ci
pher suite. The verification process depends on the method, see <xref target="as pher suite. The verification process depends on the method; see <xref target="as
ym-msg2-proc"/>. Make the result of the verification available to the applicatio ym-msg2-proc"/>. Make the result of the verification available to the applicatio
n.</li> n.</li>
</ul> </ol>
<t>If any processing step fails, then the Initiator MUST send an EDHOC <t>If any processing step fails, then the Initiator <bcp14>MUST</bcp14
error message back as defined in <xref target="error"/>, and the EDHOC session > send an EDHOC error message back as defined in <xref target="error"/>, and the
MUST be aborted.</t> EDHOC session <bcp14>MUST</bcp14> be aborted.</t>
</section> </section>
</section> </section>
<section anchor="m3"> <section anchor="m3">
<name>EDHOC Message 3</name> <name>EDHOC Message 3</name>
<section anchor="asym-msg3-form"> <section anchor="asym-msg3-form">
<name>Formatting of Message 3</name> <name>Formatting of Message 3</name>
<t>message_3 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d <t>message_3 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target
efined below</t> ="CBOR"/>), as defined below.</t>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="cbor"><![CDATA[
message_3 = ( message_3 = (
CIPHERTEXT_3 : bstr, CIPHERTEXT_3 : bstr,
) )
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="asym-msg3-proc"> <section anchor="asym-msg3-proc">
<name>Initiator Composition of Message 3</name> <name>Initiator Composition of Message 3</name>
<t>The Initiator SHALL compose message_3 as follows:</t> <t>The Initiator <bcp14>SHALL</bcp14> compose message_3 as follows:</t >
<ul spacing="normal"> <ul spacing="normal">
<li>Compute the transcript hash TH_3 = H(TH_2, PLAINTEXT_2, CRED_R) where H() is the EDHOC hash algorithm of the selected cipher suite. The input to the hash function is a CBOR Sequence. Note that TH_3 can be computed and cached already in the processing of message_2.</li> <li>Compute the transcript hash TH_3 = H(TH_2, PLAINTEXT_2, CRED_R), where H() is the EDHOC hash algorithm of the selected cipher suite. The input t o the hash function is a CBOR Sequence. Note that TH_3 can be computed and cache d already in the processing of message_2.</li>
<li> <li>
<t>Compute MAC_3 as in <xref target="expand"/>, with context_3 = & lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt; <t>Compute MAC_3 as in <xref target="expand"/>, with context_3 = & lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then mac_length_3 is the EDHOC MAC length of the sel ected cipher suite. If the Initiator authenticates with a signature key (method equals 0 or 1), then mac_length_3 is equal to hash_length.</li> <li>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then mac_length_3 is the EDHOC MAC length of the sel ected cipher suite. If the Initiator authenticates with a signature key (method equals 0 or 1), then mac_length_3 is equal to hash_length.</li>
<li>ID_CRED_I - identifier to facilitate the retrieval of CRED_I <li>ID_CRED_I is an identifier to facilitate the retrieval of CR
, see <xref target="id_cred"/></li> ED_I; see <xref target="id_cred"/>.</li>
<li>CRED_I - CBOR item containing the authentication credential <li>CRED_I is a CBOR item containing the authentication credenti
of the Initiator, see <xref target="auth-cred"/></li> al of the Initiator; see <xref target="auth-cred"/>.</li>
<li>EAD_3 - external authorization data, see <xref target="AD"/> <li>EAD_3 is external authorization data; see <xref target="AD"/
</li> >.</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then Signature_or_MAC_3 is MAC_3. If the Initiator auth enticates with a signature key (method equals 0 or 1), then Signature_or_MAC_3 i s the 'signature' field of a COSE_Sign1 object, computed as specified in Section 4.4 of <xref target="RFC9052"/> using the signature algorithm of the selected c ipher suite, the private authentication key of the Initiator, and the following parameters as input (see <xref target="COSE"/>): </t> <t>If the Initiator authenticates with a static Diffie-Hellman key (method equals 2 or 3), then Signature_or_MAC_3 is MAC_3. If the Initiator auth enticates with a signature key (method equals 0 or 1), then Signature_or_MAC_3 i s the 'signature' field of a COSE_Sign1 object, computed as specified in <xref t arget="RFC9052" section="4.4" sectionFormat="of"/> using the signature algorithm of the selected cipher suite, the private authentication key of the Initiator, and the following parameters as input (see <xref target="COSE"/>): </t>
<ul spacing="normal"> <ul spacing="normal">
<li>protected = &lt;&lt; ID_CRED_I &gt;&gt;</li> <li>protected = &lt;&lt; ID_CRED_I &gt;&gt;</li>
<li>external_aad = &lt;&lt; TH_3, CRED_I, ? EAD_3 &gt;&gt;</li> <li>external_aad = &lt;&lt; TH_3, CRED_I, ? EAD_3 &gt;&gt;</li>
<li>payload = MAC_3</li> <li>payload = MAC_3</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>Compute a COSE_Encrypt0 object as defined in Sections 5.2 and 5 .3 of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected ci pher suite, using the encryption key K_3, the initialization vector IV_3 (if use d by the AEAD algorithm), the plaintext PLAINTEXT_3, and the following parameter s as input (see <xref target="COSE"/>): </t> <t>Compute a COSE_Encrypt0 object as defined in Sections <xref tar get="RFC9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC9052" se ction="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC A EAD algorithm of the selected cipher suite, using the encryption key K_3, the in itialization vector IV_3 (if used by the AEAD algorithm), the plaintext PLAINTEX T_3, and the following parameters as input (see <xref target="COSE"/>): </t>
<ul spacing="normal"> <ul spacing="normal">
<li>protected = h''</li> <li>protected = h''</li>
<li>external_aad = TH_3</li> <li>external_aad = TH_3</li>
<li>K_3 and IV_3 are defined in <xref target="expand"/></li> <li>K_3 and IV_3 are defined in <xref target="expand"/></li>
<li> <li>
<t>PLAINTEXT_3 = ( ID_CRED_I / bstr / -24..23, Signature_or_MA C_3, ? EAD_3 ) </t> <t>PLAINTEXT_3 = ( ID_CRED_I / bstr / -24..23, Signature_or_MA C_3, ? EAD_3 ) </t>
<ul spacing="normal"> <ul spacing="normal">
<li>If ID_CRED_I contains a single 'kid' parameter, i.e., ID _CRED_I = { 4 : kid_I }, then the compact encoding is applied, see <xref target= "compact-kid"/>.</li> <li>If ID_CRED_I contains a single 'kid' parameter, i.e., ID _CRED_I = { 4 : kid_I }, then the compact encoding is applied; see <xref target= "compact-kid"/>.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t> <t>
CIPHERTEXT_3 is the 'ciphertext' of COSE_Encrypt0.</t> CIPHERTEXT_3 is the 'ciphertext' of COSE_Encrypt0.</t>
</li> </li>
<li>Compute the transcript hash TH_4 = H(TH_3, PLAINTEXT_3, CRED_I) <li>Compute the transcript hash TH_4 = H(TH_3, PLAINTEXT_3, CRED_I),
where H() is the EDHOC hash algorithm of the selected cipher suite. The input to where H() is the EDHOC hash algorithm of the selected cipher suite. The input t
the hash function is a CBOR Sequence.</li> o the hash function is a CBOR Sequence.</li>
<li>Calculate PRK_out as defined in <xref target="fig-edhoc-kdf"/>. <li>Calculate PRK_out as defined in <xref target="fig-edhoc-kdf"/>.
The Initiator can now derive application keys using the EDHOC_Exporter interface The Initiator can now derive application keys using the EDHOC_Exporter interface
, see <xref target="exporter"/>.</li> ; see <xref target="exporter"/>.</li>
<li>Encode message_3 as a CBOR data item as specified in <xref targe t="asym-msg3-form"/>.</li> <li>Encode message_3 as a CBOR data item as specified in <xref targe t="asym-msg3-form"/>.</li>
<li>Make the connection identifiers (C_I, C_R) and the application a lgorithms in the selected cipher suite available to the application.</li> <li>Make the connection identifiers (C_I and C_R) and the applicatio n algorithms in the selected cipher suite available to the application.</li>
</ul> </ul>
<t>After creating message_3, the Initiator can compute PRK_out, see <x ref target="prkout"/>, and derive application keys using the EDHOC_Exporter inte rface, see <xref target="exporter"/>. The Initiator SHOULD NOT persistently stor e PRK_out or application keys until the Initiator has verified message_4 or a me ssage protected with a derived application key, such as an OSCORE message, from the Responder and the application has authenticated the Responder. This is simil ar to waiting for an acknowledgment (ACK) in a transport protocol. The Initiator SHOULD NOT send protected application data until the application has authentica ted the Responder.</t> <t>After creating message_3, the Initiator can compute PRK_out (see <x ref target="prkout"/>) and derive application keys using the EDHOC_Exporter inte rface (see <xref target="exporter"/>). The Initiator <bcp14>SHOULD NOT</bcp14> p ersistently store PRK_out or application keys until the Initiator has verified m essage_4 or a message protected with a derived application key, such as an OSCOR E message, from the Responder and the application has authenticated the Responde r. This is similar to waiting for an acknowledgment (ACK) in a transport protoco l. The Initiator <bcp14>SHOULD NOT</bcp14> send protected application data until the application has authenticated the Responder.</t>
</section> </section>
<section anchor="responder-processing-of-message-3"> <section anchor="responder-processing-of-message-3">
<name>Responder Processing of Message 3</name> <name>Responder Processing of Message 3</name>
<t>The Responder SHALL process message_3 in the following order:</t> <t>The Responder <bcp14>SHALL</bcp14> process message_3 in the followi
<ul spacing="normal"> ng order:</t>
<ol spacing="normal">
<li>Decode message_3 (see <xref target="CBOR"/>).</li> <li>Decode message_3 (see <xref target="CBOR"/>).</li>
<li>Retrieve the protocol state using available message correlation <li>Retrieve the protocol state using available message correlation
(e.g., the CoAP Token, the 5-tuple, or the prepended C_R, see <xref target="ci-e (e.g., the CoAP Token, the 5-tuple, or the prepended C_R; see <xref target="ci-e
dhoc"/>).</li> dhoc"/>).</li>
<li>Decrypt and verify the COSE_Encrypt0 as defined in Sections 5.2 <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections <xre
and 5.3 of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the select f target="RFC9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC905
ed cipher suite, and the parameters defined in <xref target="asym-msg3-proc"/>.< 2" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the ED
/li> HOC AEAD algorithm in the selected cipher suite and the parameters defined in <x
<li>If all processing completed successfully, then make ID_CRED_I an ref target="asym-msg3-proc"/>.</li>
d (if present) EAD_3 available to the application for authentication- and EAD pr <li>If all processing completed successfully, then make ID_CRED_I an
ocessing. When and how to perform authentication is up to the application.</li> d (if present) EAD_3 available to the application for authentication and EAD pro
cessing. When and how to perform authentication is up to the application.</li>
<li>Obtain the authentication credential (CRED_I) and the authentica tion key of I from the application (or by other means).</li> <li>Obtain the authentication credential (CRED_I) and the authentica tion key of I from the application (or by other means).</li>
<li>Verify Signature_or_MAC_3 using the algorithm in the selected ci <li>Verify Signature_or_MAC_3 using the algorithm in the selected ci
pher suite. The verification process depends on the method, see <xref target="as pher suite. The verification process depends on the method; see <xref target="as
ym-msg3-proc"/>. Make the result of the verification available to the applicatio ym-msg3-proc"/>. Make the result of the verification available to the applicatio
n.</li> n.</li>
<li>Make the connection identifiers (C_I, C_R) and the application a <li>Make the connection identifiers (C_I and C_R) and the applicatio
lgorithms in the selected cipher suite available to the application.</li> n algorithms in the selected cipher suite available to the application.</li>
</ul> </ol>
<t>After processing message_3, the Responder can compute PRK_out, see <t>After processing message_3, the Responder can compute PRK_out (see
<xref target="prkout"/>, and derive application keys using the EDHOC_Exporter in <xref target="prkout"/>) and derive application keys using the EDHOC_Exporter in
terface, see <xref target="exporter"/>. The Responder SHOULD NOT persistently st terface (see <xref target="exporter"/>). The Responder <bcp14>SHOULD NOT</bcp14>
ore PRK_out or application keys until the application has authenticated the Init persistently store PRK_out or application keys until the application has authen
iator. The Responder SHOULD NOT send protected application data until the applic ticated the Initiator. The Responder <bcp14>SHOULD NOT</bcp14> send protected ap
ation has authenticated the Initiator.</t> plication data until the application has authenticated the Initiator.</t>
<t>If any processing step fails, then the Responder MUST send an EDHOC <t>If any processing step fails, then the Responder <bcp14>MUST</bcp14
error message back as defined in <xref target="error"/>, and the EDHOC session > send an EDHOC error message back as defined in <xref target="error"/>, and the
MUST be aborted.</t> EDHOC session <bcp14>MUST</bcp14> be aborted.</t>
</section> </section>
</section> </section>
<section anchor="m4"> <section anchor="m4">
<name>EDHOC Message 4</name> <name>EDHOC Message 4</name>
<t>This section specifies message_4 which is OPTIONAL to support. Key co <t>This section specifies message_4, which is <bcp14>OPTIONAL</bcp14> to
nfirmation is normally provided by sending an application message from the Respo support. Key confirmation is normally provided by sending an application messag
nder to the Initiator protected with a key derived with the EDHOC_Exporter, e.g. e from the Responder to the Initiator protected with a key derived with the EDHO
, using OSCORE (see <xref target="transfer"/>). In deployments where no protecte C_Exporter, e.g., using OSCORE (see <xref target="transfer"/>). In deployments w
d application message is sent from the Responder to the Initiator, message_4 MUS here no protected application message is sent from the Responder to the Initiato
T be supported and MUST be used. Two examples of such deployments are:</t> r, message_4 <bcp14>MUST</bcp14> be supported and <bcp14>MUST</bcp14> be used. T
<ol spacing="normal" type="1"><li>When EDHOC is only used for authentica wo examples of such deployments are:</t>
tion and no application data is sent.</li> <ol spacing="normal" type="1"><li>when EDHOC is only used for authentica
<li>When application data is only sent from the Initiator to the Respo tion and no application data is sent and</li>
nder.</li> <li>when application data is only sent from the Initiator to the Respo
nder.</li>
</ol> </ol>
<t>Further considerations about when to use message_4 are provided in <x ref target="applicability"/> and <xref target="sec-prop"/>.</t> <t>Further considerations about when to use message_4 are provided in Se ctions <xref target="applicability" format="counter"/> and <xref target="sec-pro p" format="counter"/>.</t>
<section anchor="asym-msg4-form"> <section anchor="asym-msg4-form">
<name>Formatting of Message 4</name> <name>Formatting of Message 4</name>
<t>message_4 SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as d <t>message_4 <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target
efined below</t> ="CBOR"/>), as defined below.</t>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="cbor"><![CDATA[
message_4 = ( message_4 = (
CIPHERTEXT_4 : bstr, CIPHERTEXT_4 : bstr,
) )
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="asym-msg4-proc"> <section anchor="asym-msg4-proc">
<name>Responder Composition of Message 4</name> <name>Responder Composition of Message 4</name>
<t>The Responder SHALL compose message_4 as follows:</t> <t>The Responder <bcp14>SHALL</bcp14> compose message_4 as follows:</t >
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Compute a COSE_Encrypt0 as defined in Sections 5.2 and 5.3 of < xref target="RFC9052"/>, with the EDHOC AEAD algorithm of the selected cipher su ite, using the encryption key K_4, the initialization vector IV_4 (if used by th e AEAD algorithm), the plaintext PLAINTEXT_4, and the following parameters as in put (see <xref target="COSE"/>): </t> <t>Compute a COSE_Encrypt0 as defined in Sections <xref target="RF C9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC9052" section=" 5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the EDHOC AEAD alg orithm of the selected cipher suite, using the encryption key K_4, the initializ ation vector IV_4 (if used by the AEAD algorithm), the plaintext PLAINTEXT_4, an d the following parameters as input (see <xref target="COSE"/>): </t>
<ul spacing="normal"> <ul spacing="normal">
<li>protected = h''</li> <li>protected = h''</li>
<li>external_aad = TH_4</li> <li>external_aad = TH_4</li>
<li>K_4 and IV_4 are defined in <xref target="expand"/></li> <li>K_4 and IV_4 are defined in <xref target="expand"/></li>
<li> <li>
<t>PLAINTEXT_4 = ( ? EAD_4 ) <t>PLAINTEXT_4 = ( ? EAD_4 )
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>EAD_4 - external authorization data, see <xref target="A D"/>.</li> <li>EAD_4 is external authorization data; see <xref target=" AD"/>.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t> <t>
CIPHERTEXT_4 is the 'ciphertext' of COSE_Encrypt0.</t> CIPHERTEXT_4 is the 'ciphertext' of COSE_Encrypt0.</t>
</li> </li>
<li>Encode message_4 as a CBOR data item as specified in <xref targe t="asym-msg4-form"/>.</li> <li>Encode message_4 as a CBOR data item as specified in <xref targe t="asym-msg4-form"/>.</li>
</ul> </ul>
</section> </section>
<section anchor="initiator-processing-of-message-4"> <section anchor="initiator-processing-of-message-4">
<name>Initiator Processing of Message 4</name> <name>Initiator Processing of Message 4</name>
<t>The Initiator SHALL process message_4 as follows:</t> <t>The Initiator <bcp14>SHALL</bcp14> process message_4 as follows:</t >
<ul spacing="normal"> <ul spacing="normal">
<li>Decode message_4 (see <xref target="CBOR"/>).</li> <li>Decode message_4 (see <xref target="CBOR"/>).</li>
<li>Retrieve the protocol state using available message correlation <li>Retrieve the protocol state using available message correlation
(e.g., the CoAP Token, the 5-tuple, or the prepended C_I, see <xref target="ci-e (e.g., the CoAP Token, the 5-tuple, or the prepended C_I; see <xref target="ci-e
dhoc"/>).</li> dhoc"/>).</li>
<li>Decrypt and verify the COSE_Encrypt0 as defined in Sections 5.2 <li>Decrypt and verify the COSE_Encrypt0 as defined in Sections <xre
and 5.3 of <xref target="RFC9052"/>, with the EDHOC AEAD algorithm in the select f target="RFC9052" section="5.2" sectionFormat="bare"/> and <xref target="RFC905
ed cipher suite, and the parameters defined in <xref target="asym-msg4-proc"/>.< 2" section="5.3" sectionFormat="bare"/> of <xref target="RFC9052"/>, with the ED
/li> HOC AEAD algorithm in the selected cipher suite and the parameters defined in <x
ref target="asym-msg4-proc"/>.</li>
<li>Make (if present) EAD_4 available to the application for EAD pro cessing.</li> <li>Make (if present) EAD_4 available to the application for EAD pro cessing.</li>
</ul> </ul>
<t>If any processing step fails, then the Initiator MUST send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session MUST be aborted.</t> <t>If any processing step fails, then the Initiator <bcp14>MUST</bcp14 > send an EDHOC error message back as defined in <xref target="error"/>, and the EDHOC session <bcp14>MUST</bcp14> be aborted.</t>
<t>After verifying message_4, the Initiator is assured that the Respon der has calculated the key PRK_out (key confirmation) and that no other party ca n derive the key.</t> <t>After verifying message_4, the Initiator is assured that the Respon der has calculated the key PRK_out (key confirmation) and that no other party ca n derive the key.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="error"> <section anchor="error">
<name>Error Handling</name> <name>Error Handling</name>
<t>This section defines the format for error messages, and the processing <t>This section defines the format for error messages and the processing a
associated with the currently defined error codes. Additional error codes may be ssociated with the currently defined error codes. Additional error codes may be
registered, see <xref target="error-code-reg"/>.</t> registered; see <xref target="error-code-reg"/>.</t>
<t>Many kinds of errors that can occur during EDHOC processing. As in CoAP <t>Many kinds of errors can occur during EDHOC processing. As in CoAP, an
, an error can be triggered by errors in the received message or internal errors error can be triggered by errors in the received message or internal errors in t
in the receiving endpoint. Except for processing and formatting errors, it is u he receiving endpoint. Except for processing and formatting errors, it is up to
p to the application when to send an error message. Sending error messages is es the application when to send an error message. Sending error messages is essenti
sential for debugging but MAY be skipped if, for example, an EDHOC session canno al for debugging but <bcp14>MAY</bcp14> be skipped if, for example, an EDHOC ses
t be found or due to denial-of-service reasons, see <xref target="dos"/>. Error sion cannot be found or due to denial-of-service reasons; see <xref target="dos"
messages in EDHOC are always fatal. After sending an error message, the sender M />. Error messages in EDHOC are always fatal. After sending an error message, th
UST abort the EDHOC session. The receiver SHOULD treat an error message as an in e sender <bcp14>MUST</bcp14> abort the EDHOC session. The receiver <bcp14>SHOULD
dication that the other party likely has aborted the EDHOC session. But since e </bcp14> treat an error message as an indication that the other party likely has
rror messages might be forged, the receiver MAY try to continue the EDHOC sessio aborted the EDHOC session. But since error messages might be forged, the recei
n.</t> ver <bcp14>MAY</bcp14> try to continue the EDHOC session.</t>
<t>An EDHOC error message can be sent by either endpoint as a reply to any non-error EDHOC message. How errors at the EDHOC layer are transported depends on lower layers, which need to enable error messages to be sent and processed as intended.</t> <t>An EDHOC error message can be sent by either endpoint as a reply to any non-error EDHOC message. How errors at the EDHOC layer are transported depends on lower layers, which need to enable error messages to be sent and processed as intended.</t>
<t>error SHALL be a CBOR Sequence (see <xref target="CBOR"/>) as defined b elow</t> <t>error <bcp14>SHALL</bcp14> be a CBOR Sequence (see <xref target="CBOR"/ >), as defined below.</t>
<figure anchor="fig-error-message"> <figure anchor="fig-error-message">
<name>EDHOC error message.</name> <name>EDHOC Error Message</name>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="cbor"><![CDATA[
error = ( error = (
ERR_CODE : int, ERR_CODE : int,
ERR_INFO : any, ERR_INFO : any,
) )
]]></sourcecode> ]]></sourcecode>
</figure> </figure>
<t>where:</t> <t>where:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>ERR_CODE - error code encoded as an integer. The value 0 is reserved <li>ERR_CODE is an error code encoded as an integer. The value 0 is rese
for success and can only be used internally, all other values (negative or posi rved for success and can only be used internally; all other values (negative or
tive) indicate errors.</li> positive) indicate errors.</li>
<li>ERR_INFO - error information. Content and encoding depend on error c <li>ERR_INFO is error information. Content and encoding depend on the er
ode.</li> ror code.</li>
</ul> </ul>
<t>The remainder of this section specifies the currently defined error cod <t>The remainder of this section specifies the currently defined error cod
es, see <xref target="fig-error-codes"/>. Additional error codes and correspondi es; see <xref target="tab-error-codes"/>. Additional error codes and correspondi
ng error information may be specified.</t> ng error information may be specified.</t>
<figure anchor="fig-error-codes">
<name>EDHOC error codes and error information.</name> <table anchor="tab-error-codes">
<artset> <name>EDHOC Error Codes and Error Information</name>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 <thead>
.1" height="208" width="560" viewBox="0 0 560 208" class="diagram" text-anchor=" <tr>
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <th>ERR_CODE</th>
<path d="M 8,32 L 8,192" fill="none" stroke="black"/> <th>ERR_INFO Type</th>
<path d="M 96,32 L 96,192" fill="none" stroke="black"/> <th>Description</th>
<path d="M 224,32 L 224,192" fill="none" stroke="black"/> </tr>
<path d="M 552,32 L 552,192" fill="none" stroke="black"/> </thead>
<path d="M 8,32 L 552,32" fill="none" stroke="black"/> <tbody>
<path d="M 8,62 L 552,62" fill="none" stroke="black"/> <tr>
<path d="M 8,66 L 552,66" fill="none" stroke="black"/> <td align="right">0</td>
<path d="M 8,96 L 552,96" fill="none" stroke="black"/> <td></td>
<path d="M 8,128 L 552,128" fill="none" stroke="black"/> <td>Reserved for success</td>
<path d="M 8,160 L 552,160" fill="none" stroke="black"/> </tr>
<path d="M 8,192 L 552,192" fill="none" stroke="black"/> <tr>
<g class="text"> <td align="right">1</td>
<text x="52" y="52">ERR_CODE</text> <td>tstr</td>
<text x="140" y="52">ERR_INFO</text> <td>Unspecified error</td>
<text x="196" y="52">Type</text> </tr>
<text x="280" y="52">Description</text> <tr>
<text x="80" y="84">0</text> <td align="right">2</td>
<text x="252" y="84">This</text> <td>suites</td>
<text x="296" y="84">value</text> <td>Wrong selected cipher suite</td>
<text x="332" y="84">is</text> </tr>
<text x="380" y="84">reserved</text> <tr>
<text x="80" y="116">1</text> <td align="right">3</td>
<text x="124" y="116">tstr</text> <td>true</td>
<text x="280" y="116">Unspecified</text> <td>Unknown credential referenced</td>
<text x="352" y="116">error</text> </tr>
<text x="80" y="148">2</text> <tr>
<text x="132" y="148">suites</text> <td align="right">23</td>
<text x="256" y="148">Wrong</text> <td></td>
<text x="316" y="148">selected</text> <td>Reserved</td>
<text x="380" y="148">cipher</text> </tr>
<text x="432" y="148">suite</text> </tbody>
<text x="80" y="180">3</text> </table>
<text x="124" y="180">true</text>
<text x="264" y="180">Unknown</text>
<text x="340" y="180">credential</text>
<text x="428" y="180">referenced</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+----------+---------------+----------------------------------------+
| ERR_CODE | ERR_INFO Type | Description |
+==========+===============+========================================+
| 0 | | This value is reserved |
+----------+---------------+----------------------------------------+
| 1 | tstr | Unspecified error |
+----------+---------------+----------------------------------------+
| 2 | suites | Wrong selected cipher suite |
+----------+---------------+----------------------------------------+
| 3 | true | Unknown credential referenced |
+----------+---------------+----------------------------------------+
]]></artwork>
</artset>
</figure>
<section anchor="success"> <section anchor="success">
<name>Success</name> <name>Success</name>
<t>Error code 0 MAY be used internally in an application to indicate suc cess, i.e., as a standard value in case of no error, e.g., in status reporting o r log files. Error code 0 MUST NOT be used as part of the EDHOC message exchange . If an endpoint receives an error message with error code 0, then it MUST abort the EDHOC session and MUST NOT send an error message.</t> <t>Error code 0 <bcp14>MAY</bcp14> be used internally in an application to indicate success, i.e., as a standard value in case of no error, e.g., in sta tus reporting or log files. Error code 0 <bcp14>MUST NOT</bcp14> be used as part of the EDHOC message exchange. If an endpoint receives an error message with er ror code 0, then it <bcp14>MUST</bcp14> abort the EDHOC session and <bcp14>MUST NOT</bcp14> send an error message.</t>
</section> </section>
<section anchor="unspecified-error"> <section anchor="unspecified-error">
<name>Unspecified Error</name> <name>Unspecified Error</name>
<t>Error code 1 is used for errors that do not have a specific error cod e defined. ERR_INFO MUST be a text string containing a human-readable diagnostic message which SHOULD be written in English, for example "Method not supported". The diagnostic text message is mainly intended for software engineers that duri ng debugging need to interpret it in the context of the EDHOC specification. The diagnostic message SHOULD be provided to the calling application where it SHOUL D be logged.</t> <t>Error code 1 is used for errors that do not have a specific error cod e defined. ERR_INFO <bcp14>MUST</bcp14> be a text string containing a human-read able diagnostic message that <bcp14>SHOULD</bcp14> be written in English, for ex ample, "Method not supported". The diagnostic text message is mainly intended fo r software engineers who during debugging need to interpret it in the context of the EDHOC specification. The diagnostic message <bcp14>SHOULD</bcp14> be provid ed to the calling application where it <bcp14>SHOULD</bcp14> be logged.</t>
</section> </section>
<section anchor="wrong-selected"> <section anchor="wrong-selected">
<name>Wrong Selected Cipher Suite</name> <name>Wrong Selected Cipher Suite</name>
<t>Error code 2 MUST only be used when replying to message_1 in case the cipher suite selected by the Initiator is not supported by the Responder, or if the Responder supports a cipher suite more preferred by the Initiator than the selected cipher suite, see <xref target="resp-proc-msg1"/>. In this case, ERR_IN FO = SUITES_R and is of type suites, see <xref target="asym-msg1-form"/>. If the Responder does not support the selected cipher suite, then SUITES_R MUST includ e one or more supported cipher suites. If the Responder supports a cipher suite in SUITES_I other than the selected cipher suite (independently of if the select ed cipher suite is supported or not) then SUITES_R MUST include the supported ci pher suite in SUITES_I which is most preferred by the Initiator. SUITES_R MAY in clude a single cipher suite, in which case it is encoded as an int. If the Respo nder does not support any cipher suite in SUITES_I, then it SHOULD include all i ts supported cipher suites in SUITES_R.</t> <t>Error code 2 <bcp14>MUST</bcp14> only be used when replying to messag e_1 in case the cipher suite selected by the Initiator is not supported by the R esponder or if the Responder supports a cipher suite more preferred by the Initi ator than the selected cipher suite; see <xref target="resp-proc-msg1"/>. In thi s case, ERR_INFO = SUITES_R and is of type suites; see <xref target="asym-msg1-f orm"/>. If the Responder does not support the selected cipher suite, then SUITES _R <bcp14>MUST</bcp14> include one or more supported cipher suites. If the Respo nder supports a cipher suite in SUITES_I other than the selected cipher suite (i ndependently of if the selected cipher suite is supported or not), then SUITES_R <bcp14>MUST</bcp14> include the supported cipher suite in SUITES_I, which is mo st preferred by the Initiator. SUITES_R <bcp14>MAY</bcp14> include a single ciph er suite; in which case, it is encoded as an int. If the Responder does not supp ort any cipher suite in SUITES_I, then it <bcp14>SHOULD</bcp14> include all its supported cipher suites in SUITES_R.</t>
<t>In contrast to SUITES_I, the order of the cipher suites in SUITES_R h as no significance.</t> <t>In contrast to SUITES_I, the order of the cipher suites in SUITES_R h as no significance.</t>
<section anchor="cipher-suite-negotiation"> <section anchor="cipher-suite-negotiation">
<name>Cipher Suite Negotiation</name> <name>Cipher Suite Negotiation</name>
<t>After receiving SUITES_R, the Initiator can determine which cipher <t>After receiving SUITES_R, the Initiator can determine which cipher
suite to select (if any) for the next EDHOC run with the Responder.</t> suite to select (if any) for the next EDHOC run with the Responder. The Initiato
<t>If the Initiator intends to contact the Responder in the future, th r <bcp14>SHOULD</bcp14> remember which selected cipher suite to use until the ne
e Initiator SHOULD remember which selected cipher suite to use until the next me xt message_1 has been sent; otherwise, the Initiator and Responder will run into
ssage_1 has been sent, otherwise the Initiator and Responder will likely run int an infinite loop where the Initiator selects its most preferred cipher suite an
o an infinite loop where the Initiator selects its most preferred cipher suite a d the Responder sends an error with supported cipher suites.</t>
nd the Responder sends an error with supported cipher suites. After a completed <t>After a completed EDHOC session, the Initiator <bcp14>MAY</bcp14> re
EDHOC session, the Initiator MAY remember the selected cipher suite to use in fu member the selected cipher suite to use in future EDHOC sessions with this Respo
ture EDHOC sessions. Note that if the Initiator or Responder is updated with new nder. Note that if the Initiator or Responder is updated with new cipher suite p
cipher suite policies, any cached information may be outdated.</t> olicies, any cached information may be outdated.</t>
<t>Note that the Initiator's list of supported cipher suites and order <t>Note that the Initiator's list of supported cipher suites and order
of preference is fixed (see <xref target="asym-msg1-form"/> and <xref target="i of preference is fixed (see Sections <xref target="asym-msg1-form" format="coun
nit-proc-msg1"/>). Furthermore, the Responder SHALL only accept message_1 if the ter"/> and <xref target="init-proc-msg1" format="counter"/>). Furthermore, the R
selected cipher suite is the first cipher suite in SUITES_I that the Responder esponder <bcp14>SHALL</bcp14> only accept message_1 if the selected cipher suite
also supports (see <xref target="resp-proc-msg1"/>). Following this procedure en is the first cipher suite in SUITES_I that the Responder also supports (see <xr
sures that the selected cipher suite is the most preferred (by the Initiator) ci ef target="resp-proc-msg1"/>). Following this procedure ensures that the selecte
pher suite supported by both parties. For examples, see <xref target="ex-neg"/>. d cipher suite is the most preferred (by the Initiator) cipher suite supported b
</t> y both parties. For examples, see <xref target="ex-neg"/>.</t>
<t>If the selected cipher suite is not the first cipher suite which th <t>If the selected cipher suite is not the first cipher suite that the
e Responder supports in SUITES_I received in message_1, then the Responder MUST Responder supports in SUITES_I received in message_1, then the Responder <bcp14
abort the EDHOC session, see <xref target="resp-proc-msg1"/>. If SUITES_I in mes >MUST</bcp14> abort the EDHOC session; see <xref target="resp-proc-msg1"/>. If S
sage_1 is manipulated, then the integrity verification of message_2 containing t UITES_I in message_1 is manipulated, then the integrity verification of message_
he transcript hash TH_2 will fail and the Initiator will abort the EDHOC session 2 containing the transcript hash TH_2 will fail and the Initiator will abort the
.</t> EDHOC session.</t>
</section> </section>
<section anchor="ex-neg"> <section anchor="ex-neg">
<name>Examples</name> <name>Examples</name>
<t>Assume that the Initiator supports the five cipher suites 5, 6, 7, <t>Assume that the Initiator supports the five cipher suites, 5, 6, 7,
8, and 9 in decreasing order of preference. Figures <xref target="fig-error1" fo 8, and 9, in decreasing order of preference. Figures <xref target="fig-error1"
rmat="counter"/> and <xref target="fig-error2" format="counter"/> show two examp format="counter"/> and <xref target="fig-error2" format="counter"/> show two exa
les of how the Initiator can format SUITES_I and how SUITES_R is used by Respond mples of how the Initiator can format SUITES_I and how SUITES_R is used by Respo
ers to give the Initiator information about the cipher suites that the Responder nders to give the Initiator information about the cipher suites that the Respond
supports.</t> er supports.</t>
<t>In Example 1 (<xref target="fig-error1"/>), the Responder supports <t>In Example 1 (<xref target="fig-error1"/>), the Responder supports
cipher suite 6 but not the initially selected cipher suite 5. The Responder reje cipher suite 6 but not the initially selected cipher suite 5. The Responder reje
cts the first message_1 with an error indicating support for suite 6 in SUITES_R cts the first message_1 with an error indicating support for suite 6 in SUITES_R
. The Initiator also supports suite 6, and therefore selects suite 6 in the seco . The Initiator also supports suite 6 and therefore selects suite 6 in the secon
nd message_1. The Initiator prepends in SUITES_I the selected suite 6 with the m d message_1. The Initiator prepends in SUITES_I the selected suite 6 with the mo
ore preferred suites, in this case suite 5, to mitigate a potential attack on th re preferred suites, in this case suite 5, to mitigate a potential attack on the
e cipher suite negotiation.</t> cipher suite negotiation.</t>
<figure anchor="fig-error1"> <figure anchor="fig-error1">
<name>Cipher suite negotiation example 1.</name> <name>Cipher Suite Negotiation Example 1</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="224" width="560" viewBox="0 0 560 224" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und">
<path d="M 8,48 L 8,208" fill="none" stroke="black"/> <path d="M 8,48 L 8,208" fill="none" stroke="black"/>
<path d="M 552,48 L 552,208" fill="none" stroke="black"/> <path d="M 552,48 L 552,208" fill="none" stroke="black"/>
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
<path d="M 16,128 L 552,128" fill="none" stroke="black"/> <path d="M 16,128 L 552,128" fill="none" stroke="black"/>
<path d="M 8,192 L 544,192" fill="none" stroke="black"/> <path d="M 8,192 L 544,192" fill="none" stroke="black"/>
<polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/> <polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/>
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/>
<polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/> <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/>
<g class="text"> <g class="text">
<text x="40" y="36">Initiator</text> <text x="40" y="36">Initiator</text>
skipping to change at line 1264 skipping to change at line 1229
| ERR_CODE = 2, SUITES_R = 6 | | ERR_CODE = 2, SUITES_R = 6 |
|<------------------------------------------------------------------+ |<------------------------------------------------------------------+
| error | | error |
| | | |
| METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1 | | METHOD, SUITES_I = [5, 6], G_X, C_I, EAD_1 |
+------------------------------------------------------------------>| +------------------------------------------------------------------>|
| message_1 | | message_1 |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>In Example 2 (<xref target="fig-error2"/>), the Responder supports <t>In Example 2 (<xref target="fig-error2"/>), the Responder supports
cipher suites 8 and 9 but not the more preferred (by the Initiator) cipher suite cipher suites 8 and 9 but not the more preferred (by the Initiator) cipher suite
s 5, 6 or 7. To illustrate the negotiation mechanics we let the Initiator first s 5, 6 or 7. To illustrate the negotiation mechanics, we let the Initiator first
make a guess that the Responder supports suite 6 but not suite 5. Since the Resp make a guess that the Responder supports suite 6 but not suite 5. Since the Res
onder supports neither 5 nor 6, it rejects the first message_1 with an error ind ponder supports neither 5 nor 6, it rejects the first message_1 with an error in
icating support for suites 8 and 9 in SUITES_R (in any order). The Initiator als dicating support for suites 8 and 9 in SUITES_R (in any order). The Initiator al
o supports suites 8 and 9, and prefers suite 8, so selects suite 8 in the second so supports suites 8 and 9, and prefers suite 8, so it selects suite 8 in the s
message_1. The Initiator prepends in SUITES_I the selected suite 8 with the mor econd message_1. The Initiator prepends in SUITES_I the selected suite 8 with th
e preferred suites in order of preference, in this case suites 5, 6 and 7, to mi e more preferred suites in order of preference, in this case, suites 5, 6 and 7,
tigate a potential attack on the cipher suite negotiation.</t> to mitigate a potential attack on the cipher suite negotiation.</t>
<t>Note 1. If the Responder had supported suite 5, then the first mess <ol type="Note %d.">
age_1 would not have been accepted either, since the Responder observes that sui <li>If the Responder had supported suite 5, then the first message_1 w
te 5 is more preferred by the Initiator than the selected suite 6. In that case ould not have been accepted either, since the Responder observes that suite 5 is
the Responder would have included suite 5 in SUITES_R of the response, and it wo more preferred by the Initiator than the selected suite 6. In that case, the Re
uld then have become the selected and only suite in the second message_1.</t> sponder would have included suite 5 in SUITES_R of the response, and it would th
<t>Note 2. For each message_1 the Initiator MUST generate a new epheme en have become the selected and only suite in the second message_1.</li>
ral ECDH key pair matching the selected cipher suite.</t> <li>For each message_1, the Initiator <bcp14>MUST</bcp14> generate a n
ew ephemeral ECDH key pair matching the selected cipher suite.</li>
</ol>
<figure anchor="fig-error2"> <figure anchor="fig-error2">
<name>Cipher suite negotiation example 2.</name> <name>Cipher Suite Negotiation Example 2</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="224" width="560" viewBox="0 0 560 224" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 560 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und">
<path d="M 8,48 L 8,208" fill="none" stroke="black"/> <path d="M 8,48 L 8,208" fill="none" stroke="black"/>
<path d="M 552,48 L 552,208" fill="none" stroke="black"/> <path d="M 552,48 L 552,208" fill="none" stroke="black"/>
<path d="M 8,64 L 544,64" fill="none" stroke="black"/> <path d="M 8,64 L 544,64" fill="none" stroke="black"/>
<path d="M 16,128 L 552,128" fill="none" stroke="black"/> <path d="M 16,128 L 552,128" fill="none" stroke="black"/>
<path d="M 8,192 L 544,192" fill="none" stroke="black"/> <path d="M 8,192 L 544,192" fill="none" stroke="black"/>
<polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/> <polygon class="arrowhead" points="552,192 540,186.4 540,197.6 " fill="black" transform="rotate(0,544,192)"/>
<polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/> <polygon class="arrowhead" points="552,64 540,58.4 540,69.6" f ill="black" transform="rotate(0,544,64)"/>
<polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/> <polygon class="arrowhead" points="24,128 12,122.4 12,133.6" f ill="black" transform="rotate(180,16,128)"/>
<g class="text"> <g class="text">
<text x="40" y="36">Initiator</text> <text x="40" y="36">Initiator</text>
skipping to change at line 1333 skipping to change at line 1300
| METHOD, SUITES_I = [5, 6, 7, 8], G_X, C_I, EAD_1 | | METHOD, SUITES_I = [5, 6, 7, 8], G_X, C_I, EAD_1 |
+------------------------------------------------------------------>| +------------------------------------------------------------------>|
| message_1 | | message_1 |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
</section> </section>
</section> </section>
<section anchor="unknown-credential-referenced"> <section anchor="unknown-credential-referenced">
<name>Unknown Credential Referenced</name> <name>Unknown Credential Referenced</name>
<t>Error code 3 is used for errors due to a received credential identifi <t>Error code 3 is used for errors due to a received credential identifi
er (ID_CRED_R in message_2 or ID_CRED_I message_3) containing a reference to a c er (ID_CRED_R in message_2 or ID_CRED_I message_3) containing a reference to a c
redential which the receiving endpoint does not have access to. The intent with redential that the receiving endpoint does not have access to. The intent with t
this error code is that the endpoint who sent the credential identifier should f his error code is that the endpoint who sent the credential identifier should, f
or the next EDHOC session try another credential identifier supported according or the next EDHOC session, try another credential identifier supported according
to the application profile.</t> to the application profile.</t>
<t>For example, an application profile could list x5t and x5chain as sup <t>For example, an application profile could list x5t and x5chain as sup
ported credential identifiers, and state that x5t should be used if it can be as ported credential identifiers and state that x5t should be used if it can be ass
sumed that the X.509 certificate is available at the receiving side. This error umed that the X.509 certificate is available at the receiving side. This error c
code thus enables the certificate chain to be sent only when needed, bearing in ode thus enables the certificate chain to be sent only when needed, bearing in m
mind that error messages are not protected so an adversary can try to cause unne ind that error messages are not protected so an adversary can try to cause unnec
cessary large credential identifiers.</t> essary, large credential identifiers.</t>
<t>For the error code 3, the error information SHALL be the CBOR simple <t>For the error code 3, the error information <bcp14>SHALL</bcp14> be t
value <tt>true</tt> (0xf5). Error code 3 MUST NOT be used when the received cred he CBOR simple value <tt>true</tt> (0xf5). Error code 3 <bcp14>MUST NOT</bcp14>
ential identifier type is not supported.</t> be used when the received credential identifier type is not supported.</t>
</section> </section>
</section> </section>
<section anchor="duplication"> <section anchor="duplication">
<name>EDHOC Message Deduplication</name> <name>EDHOC Message Deduplication</name>
<t>EDHOC by default assumes that message duplication is handled by the tra <t>By default, EDHOC assumes that message duplication is handled by the tr
nsport, in this section exemplified with CoAP, see <xref target="coap"/>.</t> ansport (which is exemplified by CoAP in this section); see <xref target="coap"/
<t>Deduplication of CoAP messages is described in Section 4.5 of <xref tar >.</t>
get="RFC7252"/>. This handles the case when the same Confirmable (CON) message i <t>Deduplication of CoAP messages is described in <xref target="RFC7252" s
s received multiple times due to missing acknowledgment on the CoAP messaging la ection="4.5" sectionFormat="of"/>. This handles the case when the same Confirmab
yer. The recommended processing in <xref target="RFC7252"/> is that the duplicat le (CON) message is received multiple times due to missing acknowledgment on the
e message is acknowledged (ACK), but the received message is only processed once CoAP messaging layer. The recommended processing in <xref target="RFC7252"/> is
by the CoAP stack.</t> that the duplicate message is acknowledged, but the received message is only pr
<t>Message deduplication is resource demanding and therefore not supported ocessed once by the CoAP stack.</t>
in all CoAP implementations. Since EDHOC is targeting constrained environments, <t>Message deduplication is resource demanding and therefore not supported
it is desirable that EDHOC can optionally support transport layers which do not in all CoAP implementations. Since EDHOC is targeting constrained environments,
handle message duplication. Special care is needed to avoid issues with duplica it is desirable that EDHOC can optionally support transport layers that do not
te messages, see <xref target="proc-outline"/>.</t> handle message duplication. Special care is needed to avoid issues with duplicat
<t>The guiding principle here is similar to the deduplication processing o e messages; see <xref target="proc-outline"/>.</t>
n the CoAP messaging layer: a received duplicate EDHOC message SHALL NOT result <t>The guiding principle here is similar to the deduplication processing o
in another instance of the next EDHOC message. The result MAY be that a duplicat n the CoAP messaging layer, i.e., a received duplicate EDHOC message <bcp14>SHAL
e next EDHOC message is sent, provided it is still relevant with respect to the L NOT</bcp14> result in another instance of the next EDHOC message. The result <
current protocol state. In any case, the received message MUST NOT be processed bcp14>MAY</bcp14> be that a duplicate next EDHOC message is sent, provided it is
more than once in the same EDHOC session. This is called "EDHOC message deduplic still relevant with respect to the current protocol state. In any case, the rec
ation".</t> eived message <bcp14>MUST NOT</bcp14> be processed more than once in the same ED
<t>An EDHOC implementation MAY store the previously sent EDHOC message to HOC session. This is called "EDHOC message deduplication".</t>
be able to resend it.</t> <t>An EDHOC implementation <bcp14>MAY</bcp14> store the previously sent ED
<t>In principle, if the EDHOC implementation would deterministically regen HOC message to be able to resend it.</t>
erate the identical EDHOC message previously sent, it would be possible to inste <t>In principle, if the EDHOC implementation would deterministically regen
ad store the protocol state to be able to recreate and resend the previously sen erate the identical EDHOC message previously sent, it would be possible to inste
t EDHOC message. However, even if the protocol state is fixed, the message gener ad store the protocol state to be able to recreate and resend the previously sen
ation may introduce differences which compromise security. For example, in the g t EDHOC message. However, even if the protocol state is fixed, the message gener
eneration of message_3, if I is performing a (non-deterministic) ECDSA signature ation may introduce differences that compromise security. For example, in the ge
(say, method 0 or 1, cipher suite 2 or 3) then PLAINTEXT_3 is randomized, but K neration of message_3, if I is performing a (non-deterministic) ECDSA signature
_3 and IV_3 are the same, leading to a key and nonce reuse.</t> (say, method 0 or 1 and cipher suite 2 or 3), then PLAINTEXT_3 is randomized, bu
<t>The EDHOC implementation MUST NOT store previous protocol state and reg t K_3 and IV_3 are the same, leading to a key and nonce reuse.</t>
enerate an EDHOC message if there is a risk that the same key and IV are used fo <t>The EDHOC implementation <bcp14>MUST NOT</bcp14> store the previous pro
r two (or more) distinct messages.</t> tocol state and regenerate an EDHOC message if there is a risk that the same key
<t>The previous message or protocol state MUST NOT be kept longer than wha and IV are used for two (or more) distinct messages.</t>
t is required for retransmission, for example, in the case of CoAP transport, no <t>The previous message or protocol state <bcp14>MUST NOT</bcp14> be kept
longer than the EXCHANGE_LIFETIME (see Section 4.8.2 of <xref target="RFC7252"/ longer than what is required for retransmission, for example, in the case of CoA
>).</t> P transport, no longer than the EXCHANGE_LIFETIME (see <xref target="RFC7252" se
ction="4.8.2" sectionFormat="of"/>).</t>
</section> </section>
<section anchor="mti"> <section anchor="mti">
<name>Compliance Requirements</name> <name>Compliance Requirements</name>
<t>In the absence of an application profile specifying otherwise:</t> <t>In the absence of an application profile specifying otherwise:</t>
<t>An implementation MAY support only Initiator or only Responder.</t> <ul spacing="normal">
<t>An implementation MAY support only a single method. None of the methods <li>An implementation <bcp14>MAY</bcp14> support only an Initiator or only
are mandatory-to-implement.</t> a Responder.</li>
<t>Implementations MUST support 'kid' parameters. None of the other COSE h <li>An implementation <bcp14>MAY</bcp14> support only a single method. Non
eader parameters are mandatory-to-implement.</t> e of the methods are mandatory to implement.</li>
<t>An implementation MAY support only a single credential type (CCS, CWT, <li>Implementations <bcp14>MUST</bcp14> support 'kid' parameters. None of
X.509, C509). None of the credential types are mandatory-to-implement.</t> the other COSE header parameters are mandatory to implement.</li>
<t>Implementations MUST support the EDHOC_Exporter.</t> <li>An implementation <bcp14>MAY</bcp14> support only a single credential
<t>Implementations MAY support message_4. Error codes (ERR_CODE) 1 and 2 M type (CCS, CWT, X.509, or C509). None of the credential types are mandatory to i
UST be supported.</t> mplement.</li>
<t>Implementations MUST support EAD.</t> <li>Implementations <bcp14>MUST</bcp14> support the EDHOC_Exporter.</li>
<t>Implementations MUST support cipher suite 2 and 3. Cipher suites 2 (AES <li>Implementations <bcp14>MAY</bcp14> support message_4. Error codes (ERR
-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES-CCM-16-64-128, SHA-256) and 3 (AES _CODE) 1 and 2 <bcp14>MUST</bcp14> be supported.</li>
-CCM-16-128-128, SHA-256, 16, P-256, ES256, AES-CCM-16-64-128, SHA-256) only dif <li>Implementations <bcp14>MUST</bcp14> support EAD.</li>
fer in the size of the MAC length, so supporting one or both of these is not sig <li>Implementations <bcp14>MUST</bcp14> support cipher suites 2 and 3. Cip
nificantly different. Implementations only need to implement the algorithms need her suites 2 (AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES-CCM-16-64-128, SH
ed for their supported methods.</t> A-256) and 3 (AES-CCM-16-128-128, SHA-256, 16, P-256, ES256, AES-CCM-16-64-128,
SHA-256) only differ in the size of the MAC length, so supporting one or both of
these is not significantly different. Implementations only need to implement th
e algorithms needed for their supported methods.</li>
</ul>
</section> </section>
<section anchor="security"> <section anchor="security">
<name>Security Considerations</name> <name>Security Considerations</name>
<section anchor="sec-prop"> <section anchor="sec-prop">
<name>Security Properties</name> <name>Security Properties</name>
<t>EDHOC has similar security properties as can be expected from the the oretical SIGMA-I protocol <xref target="SIGMA"/> and the Noise XX pattern <xref target="Noise"/>, which are similar to methods 0 and 3, respectively. Proven sec urity properties are detailed in the security analysis publications referenced a t the end of this section.</t> <t>EDHOC has similar security properties as can be expected from the the oretical SIGMA-I protocol <xref target="SIGMA"/> and the Noise XX pattern <xref target="Noise"/>, which are similar to methods 0 and 3, respectively. Proven sec urity properties are detailed in the security analysis publications referenced a t the end of this section.</t>
<t>Using the terminology from <xref target="SIGMA"/>, EDHOC provides for <t>Using the terminology from <xref target="SIGMA"/>, EDHOC provides for
ward secrecy, mutual authentication with aliveness, consistency, and peer awaren ward secrecy, mutual authentication with aliveness, consistency, and peer awaren
ess. As described in <xref target="SIGMA"/>, message_3 provides peer awareness t ess. As described in <xref target="SIGMA"/>, message_3 provides peer awareness t
o the Responder while message_4 provides peer awareness to the Initiator. By inc o the Responder, while message_4 provides peer awareness to the Initiator. B
luding the authentication credentials in the transcript hash, EDHOC protects aga y including the authentication credentials in the transcript hash, EDHOC protect
inst Duplicate Signature Key Selection (DSKS)-like identity mis-binding attack t s against an identity misbinding attack like the Duplicate Signature Key Selecti
hat the MAC-then-Sign variant of SIGMA-I is otherwise vulnerable to.</t> on (DSKS) that the MAC-then-Sign variant of SIGMA-I is otherwise vulnerable to.<
<t>As described in <xref target="SIGMA"/>, different levels of identity /t>
protection are provided to the Initiator and the Responder. EDHOC provides ident <t>As described in <xref target="SIGMA"/>, different levels of identity
ity protection of the Initiator against active attacks and identity protection o protection are provided to the Initiator and Responder. EDHOC provides identity
f the Responder against passive attacks. An active attacker can get the credenti protection of the Initiator against active attacks and identity protection of th
al identifier of the Responder by eavesdropping on the destination address used e Responder against passive attacks. An active attacker can get the credential i
for transporting message_1 and then sending its own message_1 to the same addres dentifier of the Responder by eavesdropping on the destination address used for
s. The roles should be assigned to protect the most sensitive identity/identifie transporting message_1 and then sending its own message_1 to the same address. T
r, typically that which is not possible to infer from routing information in the he roles should be assigned to protect the most sensitive identity/identifier, t
lower layers.</t> ypically that which is not possible to infer from routing information in the low
<t>EDHOC messages might change in transit due to a noisy channel or thro er layers.</t>
ugh modification by an attacker. Changes in message_1 and message_2 (except Sign <t>EDHOC messages might change in transit due to a noisy channel or thro
ature_or_MAC_2 when the signature scheme is not strongly unforgeable) are detect ugh modification by an attacker. Changes in message_1 and message_2 (except Sign
ed when verifying Signature_or_MAC_2. Changes to not strongly unforgeable Signat ature_or_MAC_2 when the signature scheme is not strongly unforgeable) are detect
ure_or_MAC_2, and message_3 are detected when verifying CIPHERTEXT_3. Changes to ed when verifying Signature_or_MAC_2. Changes to not strongly unforgeable Signat
message_4 are detected when verifying CIPHERTEXT_4.</t> ure_or_MAC_2 and message_3 are detected when verifying CIPHERTEXT_3. Changes to
message_4 are detected when verifying CIPHERTEXT_4.</t>
<t>Compared to <xref target="SIGMA"/>, EDHOC adds an explicit method typ e and expands the message authentication coverage to additional elements such as algorithms, external authorization data, and previous plaintext messages. This protects against an attacker replaying messages or injecting messages from anoth er EDHOC session.</t> <t>Compared to <xref target="SIGMA"/>, EDHOC adds an explicit method typ e and expands the message authentication coverage to additional elements such as algorithms, external authorization data, and previous plaintext messages. This protects against an attacker replaying messages or injecting messages from anoth er EDHOC session.</t>
<t>EDHOC also adds selection of connection identifiers and downgrade pro <t>EDHOC also adds the selection of connection identifiers and downgrade
tected negotiation of cryptographic parameters, i.e., an attacker cannot affect -protected negotiation of cryptographic parameters, i.e., an attacker cannot aff
the negotiated parameters. A single session of EDHOC does not include negotiatio ect the negotiated parameters. A single session of EDHOC does not include negoti
n of cipher suites, but it enables the Responder to verify that the selected cip ation of cipher suites, but it enables the Responder to verify that the selected
her suite is the most preferred cipher suite by the Initiator which is supported cipher suite is the most preferred cipher suite by the Initiator that is suppor
by both the Initiator and the Responder, and to abort the EDHOC session if not. ted by both the Initiator and Responder and to abort the EDHOC session if not.</
</t> t>
<t>As required by <xref target="RFC7258"/>, IETF protocols need to mitig <t>As required by <xref target="RFC7258"/>, IETF protocols need to mitig
ate pervasive monitoring when possible. EDHOC therefore only supports methods wi ate pervasive monitoring when possible. Therefore, EDHOC only supports methods w
th ephemeral Diffie-Hellman and provides a key update function (see <xref target ith ephemeral Diffie-Hellman and provides a key update function (see <xref targe
="keyupdate"/>) for lightweight application protocol rekeying. Either of these p t="keyupdate"/>) for lightweight application protocol rekeying. Either of these
rovides forward secrecy, in the sense that compromise of the private authenticat provides forward secrecy, in the sense that compromise of the private authentica
ion keys does not compromise past session keys (PRK_out), and compromise of a se tion keys does not compromise past session keys (PRK_out) and compromise of a se
ssion key does not compromise past session keys. Frequently re-running EDHOC wit ssion key does not compromise past session keys. Frequently re-running EDHOC wit
h ephemeral Diffie-Hellman forces attackers to perform dynamic key exfiltration h ephemeral Diffie-Hellman forces attackers to perform dynamic key exfiltration
where the attacker must have continuous interactions with the collaborator, whic where the attacker must have continuous interactions with the collaborator, whic
h is a significant sustained attack.</t> h is a significant sustained attack.</t>
<t>To limit the effect of breaches, it is important to limit the use of <t>To limit the effect of breaches, it is important to limit the use of
symmetric group keys for bootstrapping. EDHOC therefore strives to make the addi symmetric group keys for bootstrapping. Therefore, EDHOC strives to make the add
tional cost of using raw public keys and self-signed certificates as small as po itional cost of using raw public keys and self-signed certificates as small as p
ssible. Raw public keys and self-signed certificates are not a replacement for a ossible. Raw public keys and self-signed certificates are not a replacement for
public key infrastructure but SHOULD be used instead of symmetric group keys fo a public key infrastructure but <bcp14>SHOULD</bcp14> be used instead of symmetr
r bootstrapping.</t> ic group keys for bootstrapping.</t>
<t>Compromise of the long-term keys (private signature or static DH keys <t>Compromise of the long-term keys (private signature or static DH keys
) does not compromise the security of completed EDHOC sessions. Compromising the ) does not compromise the security of completed EDHOC sessions. Compromising the
private authentication keys of one party lets an active attacker impersonate th private authentication keys of one party lets an active attacker impersonate th
at compromised party in EDHOC sessions with other parties but does not let the a at compromised party in EDHOC sessions with other parties but does not let the a
ttacker impersonate other parties in EDHOC sessions with the compromised party. ttacker impersonate other parties in EDHOC sessions with the compromised party.
Compromise of the long-term keys does not enable a passive attacker to compromis Compromise of the long-term keys does not enable a passive attacker to compromis
e future session keys (PRK_out). Compromise of the HDKF input parameters (ECDH s e future session keys (PRK_out). Compromise of the HKDF input parameters (ECDH s
hared secret) leads to compromise of all session keys derived from that compromi hared secret) leads to compromise of all session keys derived from that compromi
sed shared secret. Compromise of one session key does not compromise other sessi sed shared secret. Compromise of one session key does not compromise other sessi
on keys. Compromise of PRK_out leads to compromise of all keying material derive on keys. Compromise of PRK_out leads to compromise of all keying material derive
d with the EDHOC_Exporter.</t> d with the EDHOC_Exporter.</t>
<t>Based on the cryptographic algorithms requirements <xref target="sec_ <t>Based on the cryptographic algorithm requirements (<xref target="sec_
algs"/>, EDHOC provides a minimum of 64-bit security against online brute force algs"/>), EDHOC provides a minimum of 64-bit security against online brute force
attacks and a minimum of 128-bit security against offline brute force attacks. T attacks and a minimum of 128-bit security against offline brute force attacks.
o break 64-bit security against online brute force an attacker would on average To break 64-bit security against online brute force, an attacker would on averag
have to send 4.3 billion messages per second for 68 years, which is infeasible i e have to send 4.3 billion messages per second for 68 years, which is infeasible
n constrained IoT radio technologies. A forgery against a 64-bit MAC in EDHOC br in constrained IoT radio technologies. A forgery against a 64-bit MAC in EDHOC
eaks the security of all future application data, while a forgery against a 64-b breaks the security of all future application data, while a forgery against a 64
it MAC in the subsequent application protocol (e.g., OSCORE <xref target="RFC861 -bit MAC in the subsequent application protocol (e.g., OSCORE <xref target="RFC8
3"/>) typically only breaks the security of the data in the forged packet.</t> 613"/>) typically only breaks the security of the data in the forged packet.</t>
<t>As the EDHOC session is aborted when verification fails, the security <t>As the EDHOC session is aborted when verification fails, the security
against online attacks is given by the sum of the strength of the verified sign against online attacks is given by the sum of the strength of the verified sign
atures and MACs (including MAC in AEAD). As an example, if EDHOC is used with me atures and MACs (including MAC in AEAD). As an example, if EDHOC is used with me
thod 3, cipher suite 2, and message_4, the Responder is authenticated with 128-b thod 3, cipher suite 2, and message_4, the Responder is authenticated with 128-b
it security against online attacks (the sum of the 64-bit MACs in message_2 and it security against online attacks (the sum of the 64-bit MACs in message_2 and
message_4). The same principle applies for MACs in an application protocol keyed message_4). The same principle applies for MACs in an application protocol keyed
by EDHOC as long as EDHOC is rerun when verification of the first MACs in the a by EDHOC as long as EDHOC is re-run when verification of the first MACs in the
pplication protocol fails. As an example, if EDHOC with method 3 and cipher suit application protocol fails. As an example, if EDHOC with method 3 and cipher sui
e 2 is used as in Figure 2 of <xref target="I-D.ietf-core-oscore-edhoc"/>, 128-b te 2 is used as in Figure 2 of <xref target="I-D.ietf-core-oscore-edhoc"/>, 128-
it mutual authentication against online attacks can be achieved after completion bit mutual authentication against online attacks can be achieved after completio
of the first OSCORE request and response.</t> n of the first OSCORE request and response.</t>
<t>After sending message_3, the Initiator is assured that no other party <t>After sending message_3, the Initiator is assured that no other party
than the Responder can compute the key PRK_out. While the Initiator can securel than the Responder can compute the key PRK_out. While the Initiator can securel
y send protected application data, the Initiator SHOULD NOT persistently store t y send protected application data, the Initiator <bcp14>SHOULD NOT</bcp14> persi
he keying material PRK_out until the Initiator has verified message_4 or a messa stently store the keying material PRK_out until the Initiator has verified messa
ge protected with a derived application key, such as an OSCORE message, from the ge_4 or a message protected with a derived application key, such as an OSCORE me
Responder. After verifying message_3, the Responder is assured that an honest I ssage, from the Responder. After verifying message_3, the Responder is assured t
nitiator has computed the key PRK_out. The Responder can securely derive and sto hat an honest Initiator has computed the key PRK_out. The Responder can securely
re the keying material PRK_out, and send protected application data.</t> derive and store the keying material PRK_out and send protected application dat
<t>External authorization data sent in message_1 (EAD_1) or message_2 (E a.</t>
AD_2) should be considered unprotected by EDHOC, see <xref target="unprot-data"/ <t>External authorization data sent in message_1 (EAD_1) or message_2 (E
>. EAD_2 is encrypted but the Responder has not yet authenticated the Initiator AD_2) should be considered unprotected by EDHOC; see <xref target="unprot-data"/
and the encryption does not provide confidentiality against active attacks.</t> >. EAD_2 is encrypted, but the Responder has not yet authenticated the Initiator
<t>External authorization data sent in message_3 (EAD_3) or message_4 (E and the encryption does not provide confidentiality against active attacks.</t>
AD_4) is protected between Initiator and Responder by the protocol, but note tha <t>External authorization data sent in message_3 (EAD_3) or message_4 (E
t EAD fields may be used by the application before the message verification is c AD_4) is protected between the Initiator and Responder by the protocol, but note
ompleted, see <xref target="AD"/>. Designing a secure mechanism that uses EAD is that EAD fields may be used by the application before the message verification
not necessarily straightforward. This document only provides the EAD transport is completed; see <xref target="AD"/>. Designing a secure mechanism that uses EA
mechanism, but the problem of agreeing on the surrounding context and the meanin D is not necessarily straightforward. This document only provides the EAD transp
g of the information passed to and from the application remains. Any new uses of ort mechanism, but the problem of agreeing on the surrounding context and the me
EAD should be subject to careful review.</t> aning of the information passed to and from the application remains. Any new use
<t>Key compromise impersonation (KCI): In EDHOC authenticated with signa s of EAD should be subject to careful review.</t>
ture keys, EDHOC provides KCI protection against an attacker having access to th <dl newline="false" spacing="normal">
e long-term key or the ephemeral secret key. With static Diffie-Hellman key auth <dt>Key Compromise Impersonation (KCI):</dt> <dd>In EDHOC authenticate
entication, KCI protection would be provided against an attacker having access t d with signature keys, EDHOC provides KCI protection against an attacker having
o the long-term Diffie-Hellman key, but not to an attacker having access to the access to the long-term key or the ephemeral secret key. With static Diffie-Hell
ephemeral secret key. Note that the term KCI has typically been used for comprom man key authentication, KCI protection would be provided against an attacker hav
ise of long-term keys, and that an attacker with access to the ephemeral secret ing access to the long-term Diffie-Hellman key but not to an attacker having acc
key can only attack that specific EDHOC session.</t> ess to the ephemeral secret key. Note that the term KCI has typically been used
<t>Repudiation: If an endpoint authenticates with a signature, the other for compromise of long-term keys and that an attacker with access to the ephemer
endpoint can prove that the endpoint performed a run of the protocol by present al secret key can only attack that specific EDHOC session.</dd>
ing the data being signed as well as the signature itself. With static Diffie-He <dt>Repudiation:</dt> <dd>If an endpoint authenticates with a signatur
llman key authentication, the authenticating endpoint can deny having participat e, the other endpoint can prove that the endpoint performed a run of the protoco
ed in the protocol.</t> l by presenting the data being signed as well as the signature itself. With stat
<t>Earlier versions of EDHOC have been formally analyzed <xref target="B ic Diffie-Hellman key authentication, the authenticating endpoint can deny havin
runi18"/> <xref target="Norrman20"/> <xref target="CottierPointcheval22"/> <xref g participated in the protocol.</dd>
target="Jacomme23"/> <xref target="GuentherIlunga22"/> and the specification ha </dl>
s been updated based on the analysis.</t> <t>Earlier versions of EDHOC have been formally analyzed <xref target="B
runi18"/> <xref target="Norrman20"/> <xref target="CottierPointcheval22"/> <xref
target="Jacomme23"/> <xref target="GuentherIlunga22"/>, and the specification h
as been updated based on the analysis.</t>
</section> </section>
<section anchor="crypto"> <section anchor="crypto">
<name>Cryptographic Considerations</name> <name>Cryptographic Considerations</name>
<t>The SIGMA protocol requires that the encryption of message_3 provides confidentiality against active attackers and EDHOC message_4 relies on the use of <t>The SIGMA protocol requires that the encryption of message_3 provides confidentiality against active attackers and EDHOC message_4 relies on the use of
authenticated encryption. Hence, the message authenticating functionality of the authenticated encryption. Hence, the message authenticating functionality of the
authenticated encryption in EDHOC is critical: authenticated encryption MUST NO authenticated encryption in EDHOC is critical, i.e., authenticated encryption <
T be replaced by plain encryption only, even if authentication is provided at an bcp14>MUST NOT</bcp14> be replaced by plain encryption only, even if authenticat
other level or through a different mechanism.</t> ion is provided at another level or through a different mechanism.</t>
<t>To reduce message overhead EDHOC does not use explicit nonces and ins <t>To reduce message overhead, EDHOC does not use explicit nonces and in
tead relies on the ephemeral public keys to provide randomness to each EDHOC ses stead relies on the ephemeral public keys to provide randomness to each EDHOC se
sion. A good amount of randomness is important for the key generation, to provid ssion. A good amount of randomness is important for the key generation to provid
e liveness, and to protect against interleaving attacks. For this reason, the ep e liveness and to protect against interleaving attacks. For this reason, the eph
hemeral keys MUST NOT be used in more than one EDHOC message, and both parties S emeral keys <bcp14>MUST NOT</bcp14> be used in more than one EDHOC message, and
HALL generate fresh random ephemeral key pairs. Note that an ephemeral key may b both parties <bcp14>SHALL</bcp14> generate fresh, random ephemeral key pairs. No
e used to calculate several ECDH shared secrets. When static Diffie-Hellman auth te that an ephemeral key may be used to calculate several ECDH shared secrets. W
entication is used the same ephemeral key is used in both ephemeral-ephemeral an hen static Diffie-Hellman authentication is used, the same ephemeral key is used
d ephemeral-static ECDH.</t> in both ephemeral-ephemeral and ephemeral-static ECDH.</t>
<t>As discussed in <xref target="SIGMA"/>, the encryption of message_2 d <t>As discussed in <xref target="SIGMA"/>, the encryption of message_2 o
oes only need to protect against passive attacker as active attackers can always nly needs to protect against a passive attacker since active attackers can alway
get the Responder's identity by sending their own message_1. EDHOC uses the EDH s get the Responder's identity by sending their own message_1. EDHOC uses the ED
OC_Expand function (typically HKDF-Expand) as a binary additive stream cipher wh HOC_Expand function (typically HKDF-Expand) as a binary additive stream cipher t
ich is proven secure as long as the expand function is a PRF. HKDF-Expand is no hat is proven secure as long as the expand function is a Pseudorandom Function (
t often used as a stream cipher as it is slow on long messages, and most applica PRF). HKDF-Expand is not often used as a stream cipher as it is slow on long mes
tions require both confidentiality with indistinguishability under chosen cipher sages, and most applications require both confidentiality with indistinguishabil
text (IND-CCA) as well as integrity protection. For the encryption of message_2, ity under adaptive chosen ciphertext attack (IND-CCA2) as well as integrity prot
any speed difference is negligible, IND-CCA does not increase security, and int ection. For the encryption of message_2, any speed difference is negligible, IND
egrity is provided by the inner MAC (and signature depending on method).</t> -CCA2 does not increase security, and integrity is provided by the inner MAC (an
<t>Requirements for how to securely generate, validate, and process the d signature depending on method).</t>
ephemeral public keys depend on the elliptic curve. For X25519 and X448, the req <t>Requirements for how to securely generate, validate, and process the
uirements are defined in <xref target="RFC7748"/>. For secp256r1, secp384r1, and public keys depend on the elliptic curve. For X25519 and X448, the requirements
secp521r1, the requirements are defined in Section 5 of <xref target="SP-800-56 are defined in <xref target="RFC7748"/>. For X25519 and X448, the check for all-
A"/>. For secp256r1, secp384r1, and secp521r1, at least partial public-key valid zero output as specified in <xref target="RFC7748" sectionFormat="of" section="6
ation MUST be done.</t> "/> <bcp14>MUST</bcp14> be done. For secp256r1, secp384r1, and secp521r1, the re
<t>The same authentication credential MAY be used for both the Initiator quirements are defined in Section 5 of <xref target="SP-800-56A"/>. For secp256r
and Responder roles. As noted in Section 12 of <xref target="RFC9052"/> the use 1, secp384r1, and secp521r1, at least partial public key validation <bcp14>MUST<
of a single key for multiple algorithms is strongly discouraged unless proven s /bcp14> be done.</t>
ecure by a dedicated cryptographic analysis. In particular this recommendation a <t>The same authentication credential <bcp14>MAY</bcp14> be used for bot
pplies to using the same private key for static Diffie-Hellman authentication an h the Initiator
d digital signature authentication. A preliminary conjecture is that a minor cha and Responder roles. As noted in <xref target="RFC9052" section="12" section
nge to EDHOC may be sufficient to fit the analysis of secure shared signature an Format="of"/>, the use of a single key for multiple algorithms is strongly disco
d ECDH key usage in <xref target="Degabriele11"/> and <xref target="Thormarker21 uraged unless proven secure by a dedicated cryptographic analysis. In particula
"/>.</t> r, this recommendation applies to using the same private key for static Diffie-H
<t>The property that a completed EDHOC session implies that another iden ellman authentication and digital signature authentication. A preliminary conjec
tity has been active is upheld as long as the Initiator does not have its own id ture is that a minor change to EDHOC may be sufficient to fit the analysis of a
entity in the set of Responder identities it is allowed to communicate with. In secure shared signature and ECDH key usage in <xref target="Degabriele11"/> and
Trust on first use (TOFU) use cases, see <xref target="tofu"/>, the Initiator sh <xref target="Thormarker21"/>. Note that Section 5.6.3.2 of <xref target="SP-800
ould verify that the Responder's identity is not equal to its own. Any future ED -56A"/> allows a key agreement key pair to be used with a signature algorithm in
HOC methods using e.g., pre-shared keys might need to mitigate this in other way certificate requests.</t>
s. However, an active attacker can gain information about the set of identities <t>The property that a completed EDHOC session implies that another iden
an Initiator is willing to communicate with. If the Initiator is willing to comm tity has been active is upheld as long as the Initiator does not have its own id
unicate with all identities except its own an attacker can determine that a gues entity in the set of Responder identities it is allowed to communicate with. In
sed Initiator identity is correct. To not leak any long-term identifiers, using trust-on-first-use (TOFU) use cases (see <xref target="tofu"/>), the Initiator s
a freshly generated authentication key as identity in each initial TOFU session hould verify that the Responder's identity is not equal to its own. Any future E
is RECOMMENDED.</t> DHOC methods using, e.g., PSKs might need to mitigate this in other ways. Howeve
<t>NIST SP 800-56A <xref target="SP-800-56A"/> forbids deriving secret a r, an active attacker can gain information about the set of identities an Initia
nd non-secret randomness from the same KDF instance, but this decision has been tor is willing to communicate with. If the Initiator is willing to communicate w
criticized by Krawczyk <xref target="HKDFpaper"/> and doing so is common practic ith all identities except its own, an attacker can determine that a guessed Init
e. In addition to IVs, other examples are the challenge in EAP-TTLS, the RAND in iator identity is correct. To not leak any long-term identifiers, using a freshl
3GPP AKAs, and the Session-Id in EAP-TLS 1.3. Note that part of KEYSTREAM_2 is y generated authentication key as an identity in each initial TOFU session is <b
also non-secret randomness as it is known or predictable to an attacker. The mor cp14>RECOMMENDED</bcp14>.</t>
e recent NIST SP 800-108 <xref target="SP-800-108"/> aligns with <xref target="H <t>NIST SP 800-56A <xref target="SP-800-56A"/> forbids deriving secret a
KDFpaper"/> and states that for a secure KDF, the revelation of one portion of t nd non-secret randomness from the same Key Derivation Function (KDF) instance, b
he derived keying material must not degrade the security of any other portion of ut this decision has been criticized by Krawczyk in <xref target="HKDFpaper"/> a
that keying material.</t> nd doing so is common practice. In addition to IVs, other examples are the chall
enge in Extensible Authentication Protocol Tunneled Transport Layer Security (EA
P-TTLS), the RAND in 3GPP Authentication and Key Agreement (AKA), and the Sessio
n-Id in EAP-TLS 1.3. Note that part of KEYSTREAM_2 is also non-secret randomness
, as it is known or predictable to an attacker. The more recent NIST SP 800-108
<xref target="SP-800-108"/> aligns with <xref target="HKDFpaper"/> and states th
at, for a secure KDF, the revelation of one portion of the derived keying materi
al must not degrade the security of any other portion of that keying material.</
t>
</section> </section>
<section anchor="sec_algs"> <section anchor="sec_algs">
<name>Cipher Suites and Cryptographic Algorithms</name> <name>Cipher Suites and Cryptographic Algorithms</name>
<t>When using private cipher suite or registering new cipher suites, the <t>When using a private cipher suite or registering new cipher suites, t
choice of key length used in the different algorithms needs to be harmonized, s he choice of the key length used in the different algorithms needs to be harmoni
o that a sufficient security level is maintained for authentication credentials, zed so that a sufficient security level is maintained for authentication credent
the EDHOC session, and the protection of application data. The Initiator and th ials, the EDHOC session, and the protection of application data. The Initiator a
e Responder should enforce a minimum security level.</t> nd Responder should enforce a minimum security level.</t>
<t>The output size of the EDHOC hash algorithm MUST be at least 256-bits <t>The output size of the EDHOC hash algorithm <bcp14>MUST</bcp14> be at
, i.e., the hash algorithms SHA-1 and SHA-256/64 (SHA-256 truncated to 64-bits) least 256 bits. In particular, the hash algorithms SHA-1 and SHA-256/64 (SHA-25
SHALL NOT be supported for use in EDHOC except for certificate identification wi 6 truncated to 64 bits) <bcp14>SHALL NOT</bcp14> be supported for use in EDHOC e
th x5t and c5t. For security considerations of SHA-1, see <xref target="RFC6194" xcept for certificate identification with x5t and c5t. For security consideratio
/>. As EDHOC integrity protects the whole authentication credentials, the choice ns of SHA-1, see <xref target="RFC6194"/>. As EDHOC integrity protects all the a
of hash algorithm in x5t and c5t does not affect security, and using the same h uthentication credentials, the choice of hash algorithm in x5t and c5t does not
ash algorithm as in the cipher suite, but with as much truncation as possible, i affect security and using the same hash algorithm as in the cipher suite, but wi
s RECOMMENDED. That is, when the EDHOC hash algorithm is SHA-256, using SHA-256/ th as much truncation as possible, is <bcp14>RECOMMENDED</bcp14>. That is, when
64 in x5t and c5t is RECOMMENDED. The EDHOC MAC length MUST be at least 8 bytes the EDHOC hash algorithm is SHA-256, using SHA-256/64 in x5t and c5t is <bcp14>R
and the tag length of the EDHOC AEAD algorithm MUST be at least 64-bits. Note th ECOMMENDED</bcp14>. The EDHOC MAC length <bcp14>MUST</bcp14> be at least 8 bytes
at secp256k1 is only defined for use with ECDSA and not for ECDH. Note that some and the tag length of the EDHOC AEAD algorithm <bcp14>MUST</bcp14> be at least
COSE algorithms are marked as not recommended in the COSE IANA registry.</t> 64 bits. Note that secp256k1 is only defined for use with ECDSA and not for ECDH
. Note that some COSE algorithms are marked as not recommended in the COSE IANA
registry.</t>
</section> </section>
<section anchor="pqc"> <section anchor="pqc">
<name>Post-Quantum Considerations</name> <name>Post-Quantum Considerations</name>
<t>As of the publication of this specification, it is unclear when or ev <t>As of the publication of this specification, it is unclear when or ev
en if a quantum computer of sufficient size and power to exploit public key cryp en if a quantum computer of sufficient size and power to exploit public key cryp
tography will exist. Deployments that need to consider risks decades into the fu tography will exist. Deployments that need to consider risks decades into the fu
ture should transition to Post-Quantum Cryptography (PQC) in the not-too-distant ture should transition to Post-Quantum Cryptography (PQC) in the not-too-distant
future. Many other systems should take a slower wait-and-see approach where PQC future. Many other systems should take a slower wait-and-see approach where PQC
is phased in when the quantum threat is more imminent. Current PQC algorithms h is phased in when the quantum threat is more imminent. Current PQC algorithms h
ave limitations compared to Elliptic Curve Cryptography (ECC) and the data sizes ave limitations compared to Elliptic Curve Cryptography (ECC), and the data size
would be problematic in many constrained IoT systems.</t> s would be problematic in many constrained IoT systems.</t>
<t>Symmetric algorithms used in EDHOC such as SHA-256 and AES-CCM-16-64- <t>Symmetric algorithms used in EDHOC, such as SHA-256 and AES-CCM-16-64
128 are practically secure against even large quantum computers. Two of NIST's s -128, are practically secure against even large quantum computers. Two of NIST's
ecurity levels for quantum-resistant public-key cryptography are based on AES-12 security levels for quantum-resistant public key cryptography are based on AES-
8 and SHA-256. Quantum computer will likely be expensive, slow due to heavy erro 128 and SHA-256. A quantum computer will likely be expensive and slow due to hea
r correction, and Grover’s algorithm, which is proven to be optimal, cannot effe vy error correction. Grover's algorithm, which is proven to be optimal, cannot e
ctively be parallelized. Grover’s algorithm will provide little or no advantage ffectively be parallelized. It will provide little or no advantage in attacking
in attacking AES, and AES-128 will remain secure for decades to come <xref targe AES, and AES-128 will remain secure for decades to come <xref target="NISTPQC"/>
t="NISTPQC"/>.</t> .</t>
<t>EDHOC supports all signature algorithms defined by COSE, including PQ <t>EDHOC supports all signature algorithms defined by COSE, including PQ
C signature algorithms such as HSS-LMS. EDHOC is currently only specified for us C signature algorithms such as HSS-LMS. EDHOC is currently only specified for us
e with key exchange algorithms of type ECDH curves, but any Key Encapsulation Me e with key exchange algorithms of type ECDH curves, but any Key Encapsulation Me
thod (KEM), including PQC KEMs, can be used in method 0. While the key exchange thod (KEM), including PQC KEMs, can be used in method 0. While the key exchange
in method 0 is specified with terms of the Diffie-Hellman protocol, the key exch in method 0 is specified with the terms of the Diffie-Hellman protocol, the key
ange adheres to a KEM interface: G_X is then the public key of the Initiator, G_ exchange adheres to a KEM interface: G_X is then the public key of the Initiator
Y is the encapsulation, and G_XY is the shared secret. Use of PQC KEMs to replac , G_Y is the encapsulation, and G_XY is the shared secret. Use of PQC KEMs to re
e static DH authentication would likely require a specification updating EDHOC w place static DH authentication would likely require a specification updating EDH
ith new methods.</t> OC with new methods.</t>
</section> </section>
<section anchor="unprot-data"> <section anchor="unprot-data">
<name>Unprotected Data and Privacy</name> <name>Unprotected Data and Privacy</name>
<t>The Initiator and the Responder must make sure that unprotected data <t>The Initiator and Responder must make sure that unprotected data and
and metadata do not reveal any sensitive information. This also applies for encr metadata do not reveal any sensitive information. This also applies for encrypte
ypted data sent to an unauthenticated party. In particular, it applies to EAD_1, d data sent to an unauthenticated party. In particular, it applies to EAD_1, ID_
ID_CRED_R, EAD_2, and error messages. Using the same EAD_1 in several EDHOC ses CRED_R, EAD_2, and error messages. Using the same EAD_1 in several EDHOC session
sions allows passive eavesdroppers to correlate the different sessions. Note tha s allows passive eavesdroppers to correlate the different sessions. Note that ev
t even if ead_value is encrypted outside of EDHOC, the ead_labels in EAD_1 is re en if ead_value is encrypted outside of EDHOC, the ead_labels in EAD_1 are revea
vealed to passive attackers and the ead_labels in EAD_2 is revealed to active at led to passive attackers and the ead_labels in EAD_2 are revealed to active atta
tackers. Another consideration is that the list of supported cipher suites may p ckers. Another consideration is that the list of supported cipher suites may pot
otentially be used to identify the application. The Initiator and the Responder entially be used to identify the application. The Initiator and Responder must a
must also make sure that unauthenticated data does not trigger any harmful actio lso make sure that unauthenticated data does not trigger any harmful actions. In
ns. In particular, this applies to EAD_1 and error messages.</t> particular, this applies to EAD_1 and error messages.</t>
<t>An attacker observing network traffic may use connection identifiers <t>An attacker observing network traffic may use connection identifiers
sent in clear in EDHOC or the subsequent application protocol to correlate packe sent in clear in EDHOC or the subsequent application protocol to correlate packe
ts sent on different paths or at different times. The attacker may use this info ts sent on different paths or at different times. The attacker may use this info
rmation for traffic flow analysis or to track an endpoint. Application protocols rmation for traffic flow analysis or to track an endpoint. Application protocols
using connection identifiers from EDHOC SHOULD provide mechanisms to update the using connection identifiers from EDHOC <bcp14>SHOULD</bcp14> provide mechanism
connection identifiers and MAY provide mechanisms to issue several simultaneous s to update the connection identifiers and <bcp14>MAY</bcp14> provide mechanisms
ly active connection identifiers. See <xref target="RFC9000"/> for a non-constra to issue several simultaneously active connection identifiers. See <xref target
ined example of such mechanisms. Connection identifiers can e.g., be chosen rand ="RFC9000"/> for a non-constrained example of such mechanisms. Connection identi
omly among the set of unused 1-byte connection identifiers. Connection identity fiers can, e.g., be chosen randomly among the set of unused 1-byte connection id
privacy mechanisms are only useful when there are not fixed identifiers such as entifiers. Connection identity privacy mechanisms are only useful when there are
IP address or MAC address in the lower layers.</t> not fixed identifiers, such as IP address or MAC address in the lower layers.</
t>
</section> </section>
<section anchor="internet-threat"> <section anchor="internet-threat">
<name>Updated Internet Threat Model Considerations</name> <name>Updated Internet Threat Model Considerations</name>
<t>Since the publication of <xref target="RFC3552"/> there has been an i <t>Since the publication of <xref target="RFC3552"/>, there has been an
ncreased awareness of the need to protect against endpoints that are compromised increased awareness of the need to protect against endpoints that are compromise
, malicious, or whose interests simply do not align with the interests of users d or malicious or whose interests simply do not align with the interests of user
<xref target="I-D.arkko-arch-internet-threat-model-guidance"/>. <xref target="RF s <xref target="I-D.arkko-arch-internet-threat-model-guidance"/>. <xref target="
C7624"/> describes an updated threat model for Internet confidentiality, see <xr RFC7624"/> describes an updated threat model for Internet confidentiality; see <
ef target="sec-prop"/>. <xref target="I-D.arkko-arch-internet-threat-model-guida xref target="sec-prop"/>. <xref target="I-D.arkko-arch-internet-threat-model-gui
nce"/> further expands the threat model. Implementations and users should take t dance"/> further expands the threat model. Implementations and users should take
hese threat models into account and consider actions to reduce the risk of track these threat models into account and consider actions to reduce the risk of tra
ing by other endpoints. In particular, even data sent protected to the other end cking by other endpoints. In particular, even data sent protected to the other e
point such as ID_CRED fields and EAD fields can be used for tracking, see Sectio ndpoint, such as ID_CRED fields and EAD fields, can be used for tracking; see <x
n 2.7 of <xref target="I-D.arkko-arch-internet-threat-model-guidance"/>.</t> ref target="I-D.arkko-arch-internet-threat-model-guidance" section="2.7" section
<t>The fields ID_CRED_I, ID_CRED_R, EAD_2, EAD_3, and EAD_4 have variabl Format="of"/>.</t>
e length, and information regarding the length may leak to an attacker. A passiv <t>The fields ID_CRED_I, ID_CRED_R, EAD_2, EAD_3, and EAD_4 have variabl
e attacker may, e.g., be able to differentiate endpoints using identifiers of di e length, and information regarding the length may leak to an attacker. A passiv
fferent length. To mitigate this information leakage an implementation may ensur e attacker may, e.g., be able to differentiate endpoints using identifiers of di
e that the fields have fixed length or use padding. An implementation may, e.g., fferent length. To mitigate this information leakage, an implementation may ensu
only use fixed length identifiers like 'kid' of length 1. Alternatively, paddin re that the fields have a fixed length or use padding. An implementation may, e.
g may be used (see <xref target="padding"/>) to hide the true length of, e.g., c g., only use fixed length identifiers like 'kid' of length 1. Alternatively, pad
ertificates by value in 'x5chain' or 'c5c'.</t> ding may be used (see <xref target="padding"/>) to hide the true length of, e.g.
, certificates by value in 'x5chain' or 'c5c'.</t>
</section> </section>
<section anchor="dos"> <section anchor="dos">
<name>Denial-of-Service</name> <name>Denial of Service</name>
<t>EDHOC itself does not provide countermeasures against denial-of-servi <t>EDHOC itself does not provide countermeasures against denial-of-servi
ce attacks. In particular, by sending a number of new or replayed message_1 an a ce attacks. In particular, by sending a number of new or replayed message_1, an
ttacker may cause the Responder to allocate state, perform cryptographic operati attacker may cause the Responder to allocate the state, perform cryptographic op
ons, and amplify messages. To mitigate such attacks, an implementation SHOULD ma erations, and amplify messages. To mitigate such attacks, an implementation <bcp
ke use of available lower layer mechanisms. For instance, when EDHOC is transfer 14>SHOULD</bcp14> make use of available lower layer mechanisms. For instance, wh
red as an exchange of CoAP messages, the CoAP server can use the Echo option def en EDHOC is transferred as an exchange of CoAP messages, the CoAP server can use
ined in <xref target="RFC9175"/> which forces the CoAP client to demonstrate rea the Echo option defined in <xref target="RFC9175"/>, which forces the CoAP clie
chability at its apparent network address. To avoid an additional roundtrip the nt to demonstrate reachability at its apparent network address. To avoid an addi
Initiator can reduce the amplification factor by padding message_1, i.e., using tional round trip, the Initiator can reduce the amplification factor by padding
EAD_1, see <xref target="padding"/>. message_1, i.e., using EAD_1; see <xref target="padding"/>.
Note that while the Echo option mitigates some resource exhaustion aspects of Note that while the Echo option mitigates some resource exhaustion aspects of
spoofing, it does not protect against a distributed denial-of-service attack mad e by real, potentially compromised, clients. Similarly, limiting amplification o nly reduces the impact, which still may be significant because of a large number of clients engaged in the attack.</t> spoofing, it does not protect against a distributed denial-of-service attack mad e by real, potentially compromised, clients. Similarly, limiting amplification o nly reduces the impact, which still may be significant because of a large number of clients engaged in the attack.</t>
<t>An attacker can also send faked message_2, message_3, message_4, or e rror in an attempt to trick the receiving party to send an error message and abo rt the EDHOC session. EDHOC implementations MAY evaluate if a received message i s likely to have been forged by an attacker and ignore it without sending an err or message or aborting the EDHOC session.</t> <t>An attacker can also send a faked message_2, message_3, message_4, or error in an attempt to trick the receiving party to send an error message and a bort the EDHOC session. EDHOC implementations <bcp14>MAY</bcp14> evaluate if a r eceived message is likely to have been forged by an attacker and ignore it witho ut sending an error message or aborting the EDHOC session.</t>
</section> </section>
<section anchor="impl-cons"> <section anchor="impl-cons">
<name>Implementation Considerations</name> <name>Implementation Considerations</name>
<t>The availability of a secure random number generator is essential for <t>The availability of a secure random number generator is essential for
the security of EDHOC. If no true random number generator is available, a rando the security of EDHOC. If no true random number generator is available, a rando
m seed MUST be provided from an external source and used with a cryptographicall m seed <bcp14>MUST</bcp14> be provided from an external source and used with a c
y secure pseudorandom number generator. As each pseudorandom number must only be ryptographically secure pseudorandom number generator. As each pseudorandom numb
used once, an implementation needs to get a unique input to the pseudorandom nu er must only be used once, an implementation needs to get a unique input to the
mber generator after reboot, or continuously store state in nonvolatile memory. pseudorandom number generator after reboot or continuously store state in nonvol
Appendix B.1.1 in <xref target="RFC8613"/> describes issues and solution approac atile memory. <xref target="RFC8613" sectionFormat="of" section="B.1.1"/> descri
hes for writing to nonvolatile memory. Intentionally or unintentionally weak or bes issues and solution approaches for writing to nonvolatile memory. Intentiona
predictable pseudorandom number generators can be abused or exploited for malici lly or unintentionally weak or predictable pseudorandom number generators can be
ous purposes. <xref target="RFC8937"/> describes a way for security protocol imp abused or exploited for malicious purposes. <xref target="RFC8937"/> describes
lementations to augment their (pseudo)random number generators using a long-term a way for security protocol implementations to augment their (pseudo)random numb
private key and a deterministic signature function. This improves randomness fr er generators using a long-term private key and a deterministic signature functi
om broken or otherwise subverted random number generators. The same idea can be on. This improves randomness from broken or otherwise subverted random number ge
used with other secrets and functions such as a Diffie-Hellman function or a sym nerators. The same idea can be used with other secrets and functions, such as a
metric secret and a PRF like HMAC or KMAC. It is RECOMMENDED to not trust a sing Diffie-Hellman function or a symmetric secret, and a PRF like HMAC or KMAC. It i
le source of randomness and to not put unaugmented random numbers on the wire.</ s <bcp14>RECOMMENDED</bcp14> to not trust a single source of randomness and to n
t> ot put unaugmented random numbers on the wire.</t>
<t>For many constrained IoT devices it is problematic to support several <t>For many constrained IoT devices, it is problematic to support severa
crypto primitives. Existing devices can be expected to support either ECDSA or l crypto primitives. Existing devices can be expected to support either ECDSA or
EdDSA. If ECDSA is supported, "deterministic ECDSA" as specified in <xref target Edwards-curve Digital Signature Algorithm (EdDSA). If ECDSA is supported, "dete
="RFC6979"/> MAY be used. Pure deterministic elliptic-curve signatures such as d rministic ECDSA", as specified in <xref target="RFC6979"/>, <bcp14>MAY</bcp14> b
eterministic ECDSA and EdDSA have gained popularity over randomized ECDSA as the e used. Pure deterministic elliptic-curve signatures, such as deterministic ECDS
ir security do not depend on a source of high-quality randomness. Recent researc A and EdDSA, have gained popularity over randomized ECDSA as their security does
h has however found that implementations of these signature algorithms may be vu not depend on a source of high-quality randomness. Recent research has however
lnerable to certain side-channel and fault injection attacks due to their determ found that implementations of these signature algorithms may be vulnerable to ce
inism. See e.g., Section 1 of <xref target="I-D.irtf-cfrg-det-sigs-with-noise"/> rtain side-channel and fault injection attacks due to their determinism. For exa
for a list of attack papers. As suggested in Section 2.1.1 of <xref target="RFC mple, see <xref target="I-D.irtf-cfrg-det-sigs-with-noise" section="1" sectionFo
9053"/> this can be addressed by combining randomness and determinism.</t> rmat="of"/> for a list of attack papers. As suggested in <xref target="RFC9053"
<t>Appendix D of <xref target="I-D.ietf-lwig-curve-representations"/> de section="2.1.1" sectionFormat="of"/>, this can be addressed by combining randomn
scribes how Montgomery curves such as X25519 and X448 and (twisted) Edwards curv ess and determinism.</t>
es as curves such as Ed25519 and Ed448 can be mapped to and from short-Weierstra <t><xref target="I-D.ietf-lwig-curve-representations" sectionFormat="of"
ss form for implementation on platforms that accelerate elliptic curve group ope section="D"/> describes how Montgomery curves, such as X25519 and X448, and (tw
rations in short-Weierstrass form.</t> isted) Edwards curves, such as Ed25519 and Ed448, can be mapped to and from shor
<t>All private keys, symmetric keys, and IVs MUST be secret. Only the Re t-Weierstrass form for implementations on platforms that accelerate elliptic cur
sponder SHALL have access to the Responder's private authentication key and only ve group operations in short-Weierstrass form.</t>
the Initiator SHALL have access to the Initiator's private authentication key. <t>All private keys, symmetric keys, and IVs <bcp14>MUST</bcp14> be secr
Implementations should provide countermeasures to side-channel attacks such as t et. Only the Responder <bcp14>SHALL</bcp14> have access to the Responder's priva
iming attacks. Intermediate computed values such as ephemeral ECDH keys and ECDH te authentication key, and only the Initiator <bcp14>SHALL</bcp14> have access t
shared secrets MUST be deleted after key derivation is completed.</t> o the Initiator's private authentication key. Implementations should provide cou
<t>The Initiator and the Responder are responsible for verifying the int ntermeasures to side-channel attacks, such as timing attacks. Intermediate compu
egrity and validity of certificates. Verification of validity may require the us ted values, such as ephemeral ECDH keys and ECDH shared secrets, <bcp14>MUST</bc
e of a Real-Time Clock (RTC). The selection of trusted CAs should be done very c p14> be deleted after key derivation is completed.</t>
arefully and certificate revocation should be supported. The choice of revocatio <t>The Initiator and Responder are responsible for verifying the integri
n mechanism is left to the application. For example, in case of X.509 certificat ty and validity of certificates. Verification of validity may require the use of
es, Certificate Revocation Lists <xref target="RFC5280"/> or OCSP <xref target=" a Real-Time Clock (RTC). The selection of trusted certification authorities (CA
RFC6960"/> may be used.</t> s) should be done very carefully and certificate revocation should be supported.
<t>Similar considerations as for certificates are needed for CWT/CCS. Th The choice of revocation mechanism is left to the application. For example, in
e endpoints are responsible for verifying the integrity and validity of CWT/CCS, case of X.509 certificates, Certificate Revocation Lists <xref target="RFC5280"/
and to handle revocation. The application needs to determine what trust anchors > or the Online Certificate Status Protocol (OCSP) <xref target="RFC6960"/> may
are relevant, and have a well-defined trust-establishment process. A self-signe be used.</t>
d certificate/CWT or CCS appearing in the protocol cannot be a trigger to modify <t>Similar considerations as for certificates are needed for CWT/CCS. Th
the set of trust anchors. One common way for a new trust anchor to be added to e endpoints are responsible for verifying the integrity and validity of CWT/CCS
(or removed from) a device is by means firmware upgrade. See <xref target="RFC93 and to handle revocation. The application needs to determine what trust anchors
60"/> for a longer discussion on trust and validation in constrained devices.</t are relevant and have a well-defined trust-establishment process. A self-signed
> certificate / CWT or CCS appearing in the protocol cannot be a trigger to modify
<t>Just like for certificates, the contents of the COSE header parameter the set of trust anchors. One common way for a new trust anchor to be added to
s 'kcwt' and 'kccs' defined in <xref target="cwt-header-param"/> must be process (or removed from) a device is by means firmware upgrade. See <xref target="RFC93
ed as untrusted input. Endpoints that intend to rely on the assertions made by a 60"/> for a longer discussion on trust and validation in constrained devices.</t
CWT/CCS obtained from any of these methods need to validate the contents. For ' >
kccs', which enables transport of raw public keys, the data structure used does <t>Just like for certificates, the contents of the COSE header parameter
not include any protection or verification data. 'kccs' may be used for unauthen s 'kcwt' and 'kccs' defined in <xref target="cwt-header-param"/> must be process
ticated operations, e.g. trust on first use, with the limitations and caveats en ed as untrusted inputs. Endpoints that intend to rely on the assertions made by
tailed, see <xref target="tofu"/>.</t> a CWT/CCS obtained from any of these methods need to validate the contents. For
<t>The Initiator and the Responder are allowed to select the connection 'kccs', which enables transport of raw public keys, the data structure used does
identifier C_I and C_R, respectively, for the other party to use in the ongoing not include any protection or verification data. 'kccs' may be used for unauthe
EDHOC session as well as in a subsequent application protocol (e.g., OSCORE <xre nticated operations, e.g., trust on first use, with the limitations and caveats
f target="RFC8613"/>). The choice of connection identifier is not security criti entailed; see <xref target="tofu"/>.</t>
cal in EDHOC but intended to simplify the retrieval of the right security contex <t>The Initiator and Responder are allowed to select connection identifi
t in combination with using short identifiers. If the wrong connection identifie ers C_I and C_R, respectively, for the other party to use in the ongoing EDHOC s
r of the other party is used in a protocol message it will result in the receivi ession as well as in a subsequent application protocol (e.g., OSCORE <xref targe
ng party not being able to retrieve a security context (which will abort the EDH t="RFC8613"/>). The choice of the connection identifier is not security critical
OC session) or retrieve the wrong security context (which also aborts the EDHOC in EDHOC but intended to simplify the retrieval of the right security context i
session as the message cannot be verified).</t> n combination with using short identifiers. If the wrong connection identifier o
<t>If two nodes unintentionally initiate two simultaneous EDHOC sessions f the other party is used in a protocol message, it will result in the receiving
with each other even if they only want to complete a single EDHOC session, they party not being able to retrieve a security context (which will abort the EDHOC
MAY abort the EDHOC session with the lexicographically smallest G_X. Note that session) or retrieve the wrong security context (which also aborts the EDHOC se
in cases where several EDHOC sessions with different parameter sets (method, COS ssion as the message cannot be verified).</t>
E headers, etc.) are used, an attacker can affect which parameter set will be us <t>If two nodes unintentionally initiate two simultaneous EDHOC sessions
ed by blocking some of the parameter sets.</t> with each other, even if they only want to complete a single EDHOC session, the
<t>If supported by the device, it is RECOMMENDED that at least the long- y <bcp14>MAY</bcp14> abort the EDHOC session with the lexicographically smallest
term private keys are stored in a Trusted Execution Environment (TEE, see for ex G_X. Note that in cases where several EDHOC sessions with different parameter s
ample <xref target="RFC9397"/>) and that sensitive operations using these keys a ets (method, COSE headers, etc.) are used, an attacker can affect which paramete
re performed inside the TEE. To achieve even higher security it is RECOMMENDED r set will be used by blocking some of the parameter sets.</t>
that additional operations such as ephemeral key generation, all computations of <t>If supported by the device, it is <bcp14>RECOMMENDED</bcp14> that at
shared secrets, and storage of the PRK keys can be done inside the TEE. The use least the long-term private keys are stored in a Trusted Execution Environment (
of a TEE aims at preventing code within that environment to be tampered with, a TEE) (for example, see <xref target="RFC9397"/>) and that sensitive operations u
nd preventing data used by such code to be read or tampered with by code outside sing these keys are performed inside the TEE. To achieve even higher security,
that environment.</t> it is <bcp14>RECOMMENDED</bcp14> that additional operations such as ephemeral ke
<t>Note that HKDF-Expand has a relatively small maximum output length of y generation, all computations of shared secrets, and storage of the PRK keys ca
255 <contact fullname="⋅"/> hash_length, where hash_length is the output size i n be done inside the TEE. The use of a TEE aims at preventing code within that e
n bytes of the EDHOC hash algorithm of the selected cipher suite. This means tha nvironment to be tampered with and preventing data used by such code to be read
t when SHA-256 is used as hash algorithm, PLAINTEXT_2 cannot be longer than 8160 or tampered with by code outside that environment.</t>
bytes. This is probably not a limitation for most intended applications, but to <t>Note that HKDF-Expand has a relatively small maximum output length of
be able to support for example long certificate chains or large external author 255 hash_length, where hash_length is the output size in bytes of the EDHOC h
ization data, there is a backwards compatible method specified in <xref target=" ash algorithm of the selected cipher suite. This means that when SHA-256 is used
large-plaintext_2"/>.</t> as a hash algorithm, PLAINTEXT_2 cannot be longer than 8160 bytes. This is prob
<t>The sequence of transcript hashes in EDHOC (TH_2, TH_3, TH_4) does no ably not a limitation for most intended applications, but to be able to support,
t make use of a so-called running hash. This is a design choice as running hashe for example, long certificate chains or large external authorization data, ther
s are often not supported on constrained platforms.</t> e is a backwards compatible method specified in <xref target="large-plaintext_2"
<t>When parsing a received EDHOC message, implementations MUST abort the />.</t>
EDHOC session if the message does not comply with the CDDL for that message. It <t>The sequence of transcript hashes in EDHOC (TH_2, TH_3, and TH_4) doe
is RECOMMENDED to abort the EDHOC session if the received EDHOC message is not s not make use of a so-called running hash. This is a design choice, as running
encoded using deterministic CBOR.</t> hashes are often not supported on constrained platforms.</t>
<t>When parsing a received EDHOC message, implementations <bcp14>MUST</b
cp14> abort the EDHOC session if the message does not comply with the CDDL for t
hat message. Implementations are not required to support non-deterministic encod
ings and <bcp14>MAY</bcp14> abort the EDHOC session if the received EDHOC messag
e is not encoded using deterministic CBOR. Implementations <bcp14>MUST</bcp14> a
bort the EDHOC session if validation of a received public key fails or if any cr
yptographic field has the wrong length. It is <bcp14>RECOMMENDED</bcp14> to abor
t the EDHOC session if the received EDHOC message is not encoded using determini
stic CBOR.</t>
</section> </section>
</section> </section>
<section anchor="iana"> <section anchor="iana">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This Section gives IANA Considerations and, unless otherwise noted, con forms with <xref target="RFC8126"/>.</t> <t>This section gives IANA considerations and, unless otherwise noted, con forms with <xref target="RFC8126"/>.</t>
<section anchor="exporter-label"> <section anchor="exporter-label">
<name>EDHOC Exporter Label Registry</name> <name>EDHOC Exporter Label Registry</name>
<t>IANA is requested to create a new registry under the new registry gro <t>IANA has created a new registry under the new registry group "Ephemer
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> al Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
<t>Registry Name: EDHOC Exporter Label</t> <dl newline="false" spacing="normal">
<t>Reference: [[this document]]</t> <dt>Registry Name:</dt> <dd>EDHOC Exporter Labels</dd>
<figure anchor="fig-exporter-label"> <dt>Reference:</dt> <dd>RFC 9528</dd>
<name>EDHOC exporter label.</name> </dl>
<artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
"1.1" height="288" width="536" viewBox="0 0 536 288" class="diagram" text-anchor
="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,32 L 8,256" fill="none" stroke="black"/>
<path d="M 120,32 L 120,256" fill="none" stroke="black"/>
<path d="M 368,32 L 368,256" fill="none" stroke="black"/>
<path d="M 528,32 L 528,256" fill="none" stroke="black"/>
<path d="M 8,32 L 528,32" fill="none" stroke="black"/>
<path d="M 8,62 L 528,62" fill="none" stroke="black"/>
<path d="M 8,66 L 528,66" fill="none" stroke="black"/>
<path d="M 8,96 L 528,96" fill="none" stroke="black"/>
<path d="M 8,128 L 528,128" fill="none" stroke="black"/>
<path d="M 8,160 L 528,160" fill="none" stroke="black"/>
<path d="M 8,192 L 528,192" fill="none" stroke="black"/>
<path d="M 8,224 L 528,224" fill="none" stroke="black"/>
<path d="M 8,256 L 528,256" fill="none" stroke="black"/>
<g class="text">
<text x="40" y="52">Label</text>
<text x="176" y="52">Description</text>
<text x="416" y="52">Reference</text>
<text x="24" y="84">0</text>
<text x="160" y="84">Derived</text>
<text x="220" y="84">OSCORE</text>
<text x="276" y="84">Master</text>
<text x="332" y="84">Secret</text>
<text x="404" y="84">[[this</text>
<text x="476" y="84">document]]</text>
<text x="24" y="116">1</text>
<text x="160" y="116">Derived</text>
<text x="220" y="116">OSCORE</text>
<text x="276" y="116">Master</text>
<text x="324" y="116">Salt</text>
<text x="404" y="116">[[this</text>
<text x="476" y="116">document]]</text>
<text x="36" y="148">2-22</text>
<text x="172" y="148">Unassigned</text>
<text x="28" y="180">23</text>
<text x="164" y="180">Reserved</text>
<text x="404" y="180">[[this</text>
<text x="476" y="180">document]]</text>
<text x="52" y="212">24-32767</text>
<text x="172" y="212">Unassigned</text>
<text x="64" y="244">32768-65535</text>
<text x="160" y="244">Private</text>
<text x="208" y="244">Use</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+-------------+------------------------------+-------------------+
| Label | Description | Reference |
+=============+==============================+===================+
| 0 | Derived OSCORE Master Secret | [[this document]] |
+-------------+------------------------------+-------------------+
| 1 | Derived OSCORE Master Salt | [[this document]] |
+-------------+------------------------------+-------------------+
| 2-22 | Unassigned | |
+-------------+------------------------------+-------------------+
| 23 | Reserved | [[this document]] |
+-------------+------------------------------+-------------------+
| 24-32767 | Unassigned | |
+-------------+------------------------------+-------------------+
| 32768-65535 | Private Use | |
+-------------+------------------------------+-------------------+
]]></artwork> <table anchor="tab-exporter-label">
</artset> <name>EDHOC Exporter Labels</name>
</figure> <thead>
<artset> <tr>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 <th>Label</th>
.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor=" <th>Description</th>
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <th>Reference</th>
<path d="M 8,32 L 8,128" fill="none" stroke="black"/> </tr>
<path d="M 120,32 L 120,128" fill="none" stroke="black"/> </thead>
<path d="M 424,32 L 424,128" fill="none" stroke="black"/> <tbody>
<path d="M 8,32 L 424,32" fill="none" stroke="black"/> <tr>
<path d="M 8,62 L 424,62" fill="none" stroke="black"/> <td>0</td>
<path d="M 8,66 L 424,66" fill="none" stroke="black"/> <td>Derived OSCORE Master Secret</td>
<path d="M 8,96 L 424,96" fill="none" stroke="black"/> <td>RFC 9528</td>
<path d="M 8,128 L 424,128" fill="none" stroke="black"/> </tr> <tr>
<g class="text"> <td>1</td>
<text x="40" y="52">Range</text> <td>Derived OSCORE Master Salt</td>
<text x="180" y="52">Registration</text> <td>RFC 9528</td>
<text x="276" y="52">Procedures</text> </tr><tr>
<text x="24" y="84">0</text> <td>2-22</td>
<text x="44" y="84">to</text> <td>Unassigned</td>
<text x="68" y="84">23</text> <td></td>
<text x="168" y="84">Standards</text> </tr>
<text x="236" y="84">Action</text> <tr>
<text x="28" y="116">24</text> <td>23</td>
<text x="52" y="116">to</text> <td>Reserved</td>
<text x="88" y="116">32767</text> <td>RFC 9528</td>
<text x="156" y="116">Expert</text> </tr> <tr>
<text x="212" y="116">Review</text> <td>24-32767</td>
</g> <td>Unassigned</td>
</svg> <td></td>
</artwork> </tr><tr>
<artwork type="ascii-art"><![CDATA[ <td>32768-65535</td>
+-------------+-------------------------------------+ <td>Reserved for Private Use</td>
| Range | Registration Procedures | <td></td>
+=============+=====================================+ </tr>
| 0 to 23 | Standards Action | </tbody>
+-------------+-------------------------------------+ </table>
| 24 to 32767 | Expert Review |
+-------------+-------------------------------------+ <t>This registry also has a "Change Controller" field. For registrations made by
IETF documents, the IETF is listed.</t>
<table>
<name>Registration Procedures for EDHOC Exporter Labels</name>
<thead>
<tr>
<th>Range</th>
<th>Registration Procedures</th>
</tr>
</thead>
<tbody>
<tr>
<td>0-23</td>
<td>Standards Action</td>
</tr>
<tr>
<td>24-32767</td>
<td>Expert Review</td>
</tr>
<tr>
<td>32768-65535</td>
<td>Private Use</td>
</tr>
</tbody>
</table>
]]></artwork>
</artset>
</section> </section>
<section anchor="suites-registry"> <section anchor="suites-registry">
<name>EDHOC Cipher Suites Registry</name> <name>EDHOC Cipher Suites Registry</name>
<t>IANA is requested to create a new registry under the new registry gro <t>IANA has created a new registry under the new registry group "Ephemer
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> al Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
<t>Registry Name: EDHOC Cipher Suites</t> <dl newline="false" spacing="normal">
<t>Reference: [[this document]]</t> <dt>Registry Name:</dt> <dd>EDHOC Cipher Suites</dd>
<t>The columns of the registry are Value, Array and Description, where V <dt>Reference:</dt> <dd>RFC 9528</dd>
alue is an integer and the other columns are text strings. The initial contents </dl>
of the registry are:</t> <t>The columns of the registry are Value, Array, Description, and Refere
<artwork><![CDATA[ nce, where Value is an integer and the other columns are text strings. The initi
Value: -24 al contents of the registry are:</t>
Array: N/A
Description: Private Use <table>
Reference: [[this document]] <name>EDHOC Cipher Suites</name>
]]></artwork> <thead>
<artwork><![CDATA[ <tr>
Value: -23 <th>Value</th>
Array: N/A <th>Array</th>
Description: Private Use <th>Description</th>
Reference: [[this document]] <th>Reference</th>
]]></artwork> </tr>
<artwork><![CDATA[ </thead>
Value: -22 <tbody>
Array: N/A <tr>
Description: Private Use <td>-24</td>
Reference: [[this document]] <td>N/A</td>
]]></artwork> <td>Private Use</td>
<artwork><![CDATA[ <td>RFC 9528</td>
Value: -21 </tr>
Array: N/A <tr>
Description: Private Use <td>-23</td>
Reference: [[this document]] <td>N/A</td>
]]></artwork> <td>Private Use</td>
<artwork><![CDATA[ <td>RFC 9528</td>
Value: 0 </tr>
Array: 10, -16, 8, 4, -8, 10, -16 <tr>
Description: AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA, <td>-22</td>
AES-CCM-16-64-128, SHA-256 <td>N/A</td>
Reference: [[this document]] <td>Private Use</td>
]]></artwork> <td>RFC 9528</td>
<artwork><![CDATA[ </tr>
Value: 1 <tr>
Array: 30, -16, 16, 4, -8, 10, -16 <td>-21</td>
Description: AES-CCM-16-128-128, SHA-256, 16, X25519, EdDSA, <td>N/A</td>
AES-CCM-16-64-128, SHA-256 <td>Private Use</td>
Reference: [[this document]] <td>RFC 9528</td>
]]></artwork> </tr>
<artwork><![CDATA[ <tr>
Value: 2 <td>0</td>
Array: 10, -16, 8, 1, -7, 10, -16 <td>10, -16, 8, 4, -8, 10, -16</td>
Description: AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, <td>AES-CCM-16-64-128, SHA-256, 8, X25519, EdDSA, AES&nbhy;CCM&nbhy;16&nbh
AES-CCM-16-64-128, SHA-256 y;64&nbhy;128, SHA-256</td>
Reference: [[this document]] <td>RFC 9528</td>
]]></artwork> </tr>
<artwork><![CDATA[ <tr>
Value: 3 <td>1</td>
Array: 30, -16, 16, 1, -7, 10, -16 <td>30, -16, 16, 4, -8, 10, -16</td>
Description: AES-CCM-16-128-128, SHA-256, 16, P-256, ES256, <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, X25519, EdDSA, AES&nbhy;CCM&nbhy
AES-CCM-16-64-128, SHA-256 ;16&nbhy;64&nbhy;128, SHA-256</td>
Reference: [[this document]] <td>RFC 9528</td>
]]></artwork> </tr>
<artwork><![CDATA[ <tr>
Value: 4 <td>2</td>
Array: 24, -16, 16, 4, -8, 24, -16 <td>10, -16, 8, 1, -7, 10, -16</td>
Description: ChaCha20/Poly1305, SHA-256, 16, X25519, EdDSA, <td>AES-CCM-16-64-128, SHA-256, 8, P-256, ES256, AES&nbhy;CCM&nbhy;16&nbhy
ChaCha20/Poly1305, SHA-256 ;64&nbhy;128, SHA-256</td>
Reference: [[this document]] <td>RFC 9528</td>
]]></artwork> </tr>
<artwork><![CDATA[ <tr>
Value: 5 <td>3</td>
Array: 24, -16, 16, 1, -7, 24, -16 <td>30, -16, 16, 1, -7, 10, -16</td>
Description: ChaCha20/Poly1305, SHA-256, 16, P-256, ES256, <td>AES-CCM-16-128-128, SHA&nbhy;256, 16, P-256, ES256, AES&nbhy;CCM&nbhy;
ChaCha20/Poly1305, SHA-256 16&nbhy;64&nbhy;128, SHA-256</td>
Reference: [[this document]] <td>RFC 9528</td>
]]></artwork> </tr>
<artwork><![CDATA[ <tr>
Value: 6 <td>4</td>
Array: 1, -16, 16, 4, -7, 1, -16 <td>24, -16, 16, 4, -8, 24, -16</td>
Description: A128GCM, SHA-256, 16, X25519, ES256, <td>ChaCha20/Poly1305, SHA-256, 16, X25519, EdDSA, ChaCha20/Poly1305, SHA-
A128GCM, SHA-256 256</td>
Reference: [[this document]] <td>RFC 9528</td>
]]></artwork> </tr>
<artwork><![CDATA[ <tr>
Value: 23 <td>5</td>
Reserved <td>24, -16, 16, 1, -7, 24, -16</td>
Reference: [[this document]] <td>ChaCha20/Poly1305, SHA-256, 16, P-256, ES256, ChaCha20/&wj;Poly1305, S
]]></artwork> HA-256</td>
<artwork><![CDATA[ <td>RFC 9528</td>
Value: 24 </tr>
Array: 3, -43, 16, 2, -35, 3, -43 <tr>
Description: A256GCM, SHA-384, 16, P-384, ES384, <td>6</td>
A256GCM, SHA-384 <td>1, -16, 16, 4, -7, 1, -16</td>
Reference: [[this document]] <td>A128GCM, SHA-256, 16, X25519, ES256, A128GCM, SHA-256</td>
]]></artwork> <td>RFC 9528</td>
<artwork><![CDATA[ </tr>
Value: 25 <tr>
Array: 24, -45, 16, 5, -8, 24, -45
Description: ChaCha20/Poly1305, SHAKE256, 16, X448, EdDSA, <td>23</td>
ChaCha20/Poly1305, SHAKE256 <td></td>
Reference: [[this document]] <td>Reserved</td>
]]></artwork> <td>RFC 9528</td>
<artset> </tr>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 <tr>
.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <td>24</td>
<path d="M 8,32 L 8,160" fill="none" stroke="black"/> <td>3, -43, 16, 2, -35, 3, -43</td>
<path d="M 144,32 L 144,160" fill="none" stroke="black"/> <td>A256GCM, SHA-384, 16, P-384, ES384,
<path d="M 448,32 L 448,160" fill="none" stroke="black"/> A256GCM, SHA-384</td>
<path d="M 8,32 L 448,32" fill="none" stroke="black"/> <td>RFC 9528</td>
<path d="M 8,62 L 448,62" fill="none" stroke="black"/> </tr>
<path d="M 8,66 L 448,66" fill="none" stroke="black"/> <tr>
<path d="M 8,96 L 448,96" fill="none" stroke="black"/> <td>25</td>
<path d="M 8,128 L 448,128" fill="none" stroke="black"/> <td>24, -45, 16, 5, -8, 24, -45</td>
<path d="M 8,160 L 448,160" fill="none" stroke="black"/> <td>ChaCha20/Poly1305, SHAKE256, 16, X448, EdDSA,
<g class="text"> ChaCha20/Poly1305, SHAKE256</td>
<text x="40" y="52">Range</text> <td>RFC 9528</td>
<text x="204" y="52">Registration</text> </tr>
<text x="300" y="52">Procedures</text> </tbody>
<text x="44" y="84">-65536</text> </table>
<text x="84" y="84">to</text>
<text x="112" y="84">-25</text> <table>
<text x="208" y="84">Specification</text> <name>Registration Procedures for EDHOC Cipher Suites</name>
<text x="300" y="84">Required</text> <thead>
<text x="32" y="116">-20</text> <tr>
<text x="60" y="116">to</text> <th>Range</th>
<text x="84" y="116">23</text> <th>Registration Procedures</th>
<text x="192" y="116">Standards</text> </tr>
<text x="260" y="116">Action</text> </thead>
<text x="308" y="116">with</text> <tbody>
<text x="356" y="116">Expert</text> <tr>
<text x="412" y="116">Review</text> <td>-65536 to -25</td>
<text x="28" y="148">24</text> <td>Specification Required</td>
<text x="52" y="148">to</text> </tr>
<text x="88" y="148">65535</text> <tr>
<text x="208" y="148">Specification</text> <td>-24 to -21</td>
<text x="300" y="148">Required</text> <td>Private Use</td>
</g> </tr>
</svg> <tr>
</artwork> <td>-20 to 23</td>
<artwork type="ascii-art"><![CDATA[ <td>Standards Action with Expert Review</td>
+----------------+-------------------------------------+ </tr>
| Range | Registration Procedures | <tr>
+================+=====================================+ <td>24 to 65535</td>
| -65536 to -25 | Specification Required | <td>Specification Required</td>
+----------------+-------------------------------------+ </tr>
| -20 to 23 | Standards Action with Expert Review | </tbody>
+----------------+-------------------------------------+ </table>
| 24 to 65535 | Specification Required |
+----------------+-------------------------------------+
]]></artwork>
</artset>
</section> </section>
<section anchor="method-types"> <section anchor="method-types">
<name>EDHOC Method Type Registry</name> <name>EDHOC Method Type Registry</name>
<t>IANA is requested to create a new registry under the new registry gro <t>IANA has created a new registry under the new registry group "Ephemer
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> al Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
<t>Registry Name: EDHOC Method Type</t> <dl newline="false" spacing="normal">
<t>Reference: [[this document]]</t> <dt>Registry Name:</dt> <dd>EDHOC Method Types</dd>
<t>The columns of the registry are Value, Initiator Authentication Key, <dt>Reference:</dt> <dd>RFC 9528</dd>
and Responder Authentication Key, and Reference, where Value is an integer and t </dl>
he key columns are text strings describing the authentication keys.</t> <t>The columns of the registry are Value, Initiator Authentication Key,
<t>The initial contents of the registry are shown in <xref target="fig-m Responder Authentication Key, and Reference, where Value is an integer and the k
ethod-types"/>. Method 23 is Reserved.</t> ey columns are text strings describing the authentication keys.</t>
<artset> <t>The initial contents of the registry are shown in <xref target="tab-m
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 ethod-types"/>. Method 23 is Reserved.</t>
.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor="
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <table>
<path d="M 8,32 L 8,160" fill="none" stroke="black"/> <name>Registration Procedures for EDHOC Method Types</name>
<path d="M 144,32 L 144,160" fill="none" stroke="black"/> <thead>
<path d="M 448,32 L 448,160" fill="none" stroke="black"/> <tr>
<path d="M 8,32 L 448,32" fill="none" stroke="black"/> <th>Range</th>
<path d="M 8,62 L 448,62" fill="none" stroke="black"/> <th>Registration Procedures</th>
<path d="M 8,66 L 448,66" fill="none" stroke="black"/> </tr>
<path d="M 8,96 L 448,96" fill="none" stroke="black"/> </thead>
<path d="M 8,128 L 448,128" fill="none" stroke="black"/> <tbody>
<path d="M 8,160 L 448,160" fill="none" stroke="black"/> <tr>
<g class="text"> <td>-65536 to -25</td>
<text x="40" y="52">Range</text> <td>Specification Required</td>
<text x="204" y="52">Registration</text> </tr>
<text x="300" y="52">Procedures</text> <tr>
<text x="44" y="84">-65536</text> <td>-24 to 23</td>
<text x="84" y="84">to</text> <td>Standards Action with Expert Review</td>
<text x="112" y="84">-25</text> </tr>
<text x="208" y="84">Specification</text> <tr>
<text x="300" y="84">Required</text> <td>24 to 65535</td>
<text x="32" y="116">-24</text> <td>Specification Required</td>
<text x="60" y="116">to</text> </tr>
<text x="84" y="116">23</text> </tbody>
<text x="192" y="116">Standards</text> </table>
<text x="260" y="116">Action</text>
<text x="308" y="116">with</text>
<text x="356" y="116">Expert</text>
<text x="412" y="116">Review</text>
<text x="28" y="148">24</text>
<text x="52" y="148">to</text>
<text x="88" y="148">65535</text>
<text x="208" y="148">Specification</text>
<text x="300" y="148">Required</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+----------------+-------------------------------------+
| Range | Registration Procedures |
+================+=====================================+
| -65536 to -25 | Specification Required |
+----------------+-------------------------------------+
| -24 to 23 | Standards Action with Expert Review |
+----------------+-------------------------------------+
| 24 to 65535 | Specification Required |
+----------------+-------------------------------------+
]]></artwork>
</artset>
</section> </section>
<section anchor="error-code-reg"> <section anchor="error-code-reg">
<name>EDHOC Error Codes Registry</name> <name>EDHOC Error Codes Registry</name>
<t>IANA is requested to create a new registry under the new registry gro <t>IANA has created a new registry under the new registry group "Ephemer
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> al Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
<t>Registry Name: EDHOC Error Codes</t> <dl newline="false" spacing="normal">
<t>Reference: [[this document]]</t> <dt>Registry Name:</dt> <dd>EDHOC Error Codes</dd>
<t>The columns of the registry are ERR_CODE, ERR_INFO Type, Description, <dt>Reference:</dt> <dd>RFC 9528</dd>
and Reference, where ERR_CODE is an integer, ERR_INFO is a CDDL defined type, a </dl>
nd Description is a text string. The initial contents of the registry are shown <t>The columns of the registry are ERR_CODE, ERR_INFO Type, Description,
in <xref target="fig-error-codes"/>. Error code 23 is Reserved.</t> Change Controller, and Reference, where ERR_CODE is an integer, ERR_INFO is a C
<artset> DDL defined type, and Description is a text string. The initial contents of the
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 registry are shown in <xref target="tab-error-codes"/>. Error code 23 is Reserve
.1" height="176" width="456" viewBox="0 0 456 176" class="diagram" text-anchor=" d. This registry also has a "Change Controller" field. For registrations made by
middle" font-family="monospace" font-size="13px" stroke-linecap="round"> IETF documents, the IETF is listed.</t>
<path d="M 8,32 L 8,160" fill="none" stroke="black"/>
<path d="M 144,32 L 144,160" fill="none" stroke="black"/> <table>
<path d="M 448,32 L 448,160" fill="none" stroke="black"/> <name>Registration Procedures for EDHOC Error Codes</name>
<path d="M 8,32 L 448,32" fill="none" stroke="black"/> <thead>
<path d="M 8,62 L 448,62" fill="none" stroke="black"/> <tr>
<path d="M 8,66 L 448,66" fill="none" stroke="black"/> <th>Range</th>
<path d="M 8,96 L 448,96" fill="none" stroke="black"/> <th>Registration Procedures</th>
<path d="M 8,128 L 448,128" fill="none" stroke="black"/> </tr>
<path d="M 8,160 L 448,160" fill="none" stroke="black"/> </thead>
<g class="text"> <tbody>
<text x="40" y="52">Range</text> <tr>
<text x="204" y="52">Registration</text> <td>-65536 to -25</td>
<text x="300" y="52">Procedures</text> <td>Expert Review</td>
<text x="44" y="84">-65536</text> </tr><tr>
<text x="84" y="84">to</text> <td>-24 to 23</td>
<text x="112" y="84">-25</text> <td>Standards Action</td>
<text x="180" y="84">Expert</text> </tr><tr>
<text x="236" y="84">Review</text> <td>24 to 65535</td>
<text x="32" y="116">-24</text> <td>Expert Review</td>
<text x="60" y="116">to</text> </tr>
<text x="84" y="116">23</text> </tbody>
<text x="192" y="116">Standards</text> </table>
<text x="260" y="116">Action</text>
<text x="28" y="148">24</text>
<text x="52" y="148">to</text>
<text x="88" y="148">65535</text>
<text x="180" y="148">Expert</text>
<text x="236" y="148">Review</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+----------------+-------------------------------------+
| Range | Registration Procedures |
+================+=====================================+
| -65536 to -25 | Expert Review |
+----------------+-------------------------------------+
| -24 to 23 | Standards Action |
+----------------+-------------------------------------+
| 24 to 65535 | Expert Review |
+----------------+-------------------------------------+
]]></artwork>
</artset>
</section> </section>
<section anchor="iana-ead"> <section anchor="iana-ead">
<name>EDHOC External Authorization Data Registry</name> <name>EDHOC External Authorization Data Registry</name>
<t>IANA is requested to create a new registry under the new registry gro <t>IANA has created a new registry under the new registry group "Ephemer
up "Ephemeral Diffie-Hellman Over COSE (EDHOC)" as follows:</t> al Diffie-Hellman Over COSE (EDHOC)" as follows:</t>
<t>Registry Name: EDHOC External Authorization Data</t> <dl newline="false" spacing="normal">
<t>Reference: [[this document]]</t> <dt>Registry Name:</dt> <dd>EDHOC External Authorization Data</dd>
<t>The columns of the registry are Name, Label, Description, and Referen <dt>Reference:</dt> <dd>RFC 9528</dd>
ce, where Label is a non-negative integer and the other columns are text strings </dl>
. The initial contents of the registry is shown in <xref target="fig-ead-labels" <t>The columns of the registry are Name, Label, Description, and Referen
/>. EAD label 23 is Reserved.</t> ce, where Label is a nonnegative integer and the other columns are text strings.
<figure anchor="fig-ead-labels"> The initial contents of the registry are shown in <xref target="tab-ead-labels"
<name>EAD labels.</name> />. EAD label 23 is Reserved.</t>
<artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= <table anchor="tab-ead-labels">
"1.1" height="128" width="536" viewBox="0 0 536 128" class="diagram" text-anchor <name>EDHOC EAD Labels</name>
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <thead>
<path d="M 8,32 L 8,112" fill="none" stroke="black"/> <tr>
<path d="M 104,32 L 104,112" fill="none" stroke="black"/> <th>Name</th>
<path d="M 168,32 L 168,112" fill="none" stroke="black"/> <th>Label</th>
<path d="M 368,32 L 368,112" fill="none" stroke="black"/> <th>Description</th>
<path d="M 528,32 L 528,112" fill="none" stroke="black"/> <th>Reference</th>
<path d="M 8,32 L 528,32" fill="none" stroke="black"/> </tr>
<path d="M 8,62 L 528,62" fill="none" stroke="black"/> </thead>
<path d="M 8,66 L 528,66" fill="none" stroke="black"/> <tbody>
<path d="M 8,112 L 528,112" fill="none" stroke="black"/> <tr>
<g class="text"> <td>Padding</td>
<text x="36" y="52">Name</text> <td>0</td>
<text x="136" y="52">Label</text> <td>Randomly generated CBOR byte string</td>
<text x="224" y="52">Description</text> <td>RFC 9528, <xref target="padding"/></td>
<text x="416" y="52">Reference</text> </tr>
<text x="48" y="84">Padding</text> <tr>
<text x="136" y="84">0</text> <td></td>
<text x="212" y="84">Randomly</text> <td>23</td>
<text x="288" y="84">generated</text> <td>Reserved</td>
<text x="404" y="84">[[this</text> <td>RFC 9528</td>
<text x="476" y="84">document]]</text> </tr>
<text x="196" y="100">CBOR</text> </tbody>
<text x="236" y="100">byte</text> </table>
<text x="284" y="100">string</text>
<text x="408" y="100">Section</text> <table>
<text x="464" y="100">3.8.1</text> <name>Registration Procedures for EDHOC EAD Labels</name>
</g> <thead>
</svg> <tr>
</artwork> <th>Range</th>
<artwork type="ascii-art"><![CDATA[ <th>Registration Procedures</th>
+-----------+-------+------------------------+-------------------+ </tr>
| Name | Label | Description | Reference | </thead>
+===========+=======+========================+===================+ <tbody>
| Padding | 0 | Randomly generated | [[this document]] | <tr>
| | | CBOR byte string | Section 3.8.1 | <td>0 to 23</td>
+-----------+-------+------------------------+-------------------+ <td>Standards Action with Expert Review</td>
]]></artwork> </tr><tr>
</artset> <td>24 to 65535</td>
</figure> <td>Specification Required</td>
<artset> </tr>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 </tbody>
.1" height="160" width="432" viewBox="0 0 432 160" class="diagram" text-anchor=" </table>
middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,32 L 8,128" fill="none" stroke="black"/>
<path d="M 120,32 L 120,128" fill="none" stroke="black"/>
<path d="M 424,32 L 424,128" fill="none" stroke="black"/>
<path d="M 8,32 L 424,32" fill="none" stroke="black"/>
<path d="M 8,62 L 424,62" fill="none" stroke="black"/>
<path d="M 8,66 L 424,66" fill="none" stroke="black"/>
<path d="M 8,96 L 424,96" fill="none" stroke="black"/>
<path d="M 8,128 L 424,128" fill="none" stroke="black"/>
<g class="text">
<text x="40" y="52">Range</text>
<text x="180" y="52">Registration</text>
<text x="276" y="52">Procedures</text>
<text x="24" y="84">0</text>
<text x="44" y="84">to</text>
<text x="68" y="84">23</text>
<text x="168" y="84">Standards</text>
<text x="236" y="84">Action</text>
<text x="284" y="84">with</text>
<text x="332" y="84">Expert</text>
<text x="388" y="84">Review</text>
<text x="28" y="116">24</text>
<text x="52" y="116">to</text>
<text x="88" y="116">65535</text>
<text x="184" y="116">Specification</text>
<text x="276" y="116">Required</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+-------------+-------------------------------------+
| Range | Registration Procedures |
+=============+=====================================+
| 0 to 23 | Standards Action with Expert Review |
+-------------+-------------------------------------+
| 24 to 65535 | Specification Required |
+-------------+-------------------------------------+
]]></artwork>
</artset>
</section> </section>
<section anchor="cwt-header-param"> <section anchor="cwt-header-param">
<name>COSE Header Parameters Registry</name> <name>COSE Header Parameters Registry</name>
<t>IANA is requested to register the following entries in the "COSE Head <t>IANA has registered the following entries in the "COSE Header Paramet
er Parameters" registry under the registry group "CBOR Object Signing and Encryp ers" registry under the registry group "CBOR Object Signing and Encryption (COSE
tion (COSE)" (see <xref target="fig-header-params"/>): The value of the 'kcwt' h )" (see <xref target="tab-header-params"/>). The value of the 'kcwt' header para
eader parameter is a COSE Web Token (CWT) <xref target="RFC8392"/>, and the valu meter is a COSE Web Token (CWT) <xref target="RFC8392"/>, and the value of the '
e of the 'kccs' header parameter is a CWT Claims Set (CCS), see <xref target="te kccs' header parameter is a CWT Claims Set (CCS); see <xref target="term"/>. The
rm"/>. The CWT/CCS must contain a COSE_Key in a 'cnf' claim <xref target="RFC874 CWT/CCS must contain a COSE_Key in a 'cnf' claim <xref target="RFC8747"/>. The
7"/>. The Value Registry for this item is empty and omitted from the table below Value Registry column for this item is empty and omitted from the table below.</
.</t> t>
<figure anchor="fig-header-params">
<name>COSE header parameter labels.</name> <table anchor="tab-header-params">
<artset> <name>COSE Header Parameter Labels</name>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
"1.1" height="256" width="560" viewBox="0 0 560 256" class="diagram" text-anchor <thead>
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <tr>
<path d="M 8,32 L 8,240" fill="none" stroke="black"/> <th>Name</th>
<path d="M 64,32 L 64,240" fill="none" stroke="black"/> <th>Label</th>
<path d="M 128,32 L 128,240" fill="none" stroke="black"/> <th>Value Type</th>
<path d="M 256,32 L 256,240" fill="none" stroke="black"/> <th>Description</th>
<path d="M 552,32 L 552,240" fill="none" stroke="black"/> </tr>
<path d="M 8,32 L 552,32" fill="none" stroke="black"/> </thead>
<path d="M 8,62 L 552,62" fill="none" stroke="black"/> <tbody>
<path d="M 8,66 L 552,66" fill="none" stroke="black"/> <tr>
<path d="M 8,160 L 552,160" fill="none" stroke="black"/> <td>kcwt</td>
<path d="M 8,240 L 552,240" fill="none" stroke="black"/> <td>13</td>
<g class="text"> <td>COSE_Messages</td>
<text x="36" y="52">Name</text> <td>A CBOR Web Token (CWT) containing
<text x="96" y="52">Label</text> a COSE_Key in a 'cnf' claim and
<text x="160" y="52">Value</text> possibly other claims. CWT is
<text x="204" y="52">Type</text> defined in RFC 8392. COSE_Messages
<text x="312" y="52">Description</text> is defined in RFC 9052.</td>
<text x="36" y="84">kcwt</text> </tr><tr>
<text x="92" y="84">TBD1</text> <td>kccs</td>
<text x="192" y="84">COSE_Messages</text> <td>14</td>
<text x="272" y="84">A</text> <td>map</td>
<text x="300" y="84">CBOR</text> <td>A CWT Claims Set (CCS) containing
<text x="336" y="84">Web</text> a COSE_Key in a 'cnf' claim and
<text x="376" y="84">Token</text> possibly other claims. CCS is
<text x="424" y="84">(CWT)</text> defined in RFC 8392.</td>
<text x="492" y="84">containing</text> </tr>
<text x="272" y="100">a</text> </tbody>
<text x="316" y="100">COSE_Key</text> </table>
<text x="364" y="100">in</text>
<text x="384" y="100">a</text>
<text x="416" y="100">'cnf'</text>
<text x="464" y="100">claim</text>
<text x="504" y="100">and</text>
<text x="300" y="116">possibly</text>
<text x="360" y="116">other</text>
<text x="416" y="116">claims.</text>
<text x="464" y="116">CWT</text>
<text x="492" y="116">is</text>
<text x="296" y="132">defined</text>
<text x="340" y="132">in</text>
<text x="368" y="132">RFC</text>
<text x="408" y="132">8392.</text>
<text x="488" y="132">COSE_Messages</text>
<text x="276" y="148">is</text>
<text x="320" y="148">defined</text>
<text x="364" y="148">in</text>
<text x="392" y="148">RFC</text>
<text x="432" y="148">9052.</text>
<text x="36" y="180">kccs</text>
<text x="92" y="180">TBD2</text>
<text x="152" y="180">map</text>
<text x="272" y="180">A</text>
<text x="296" y="180">CWT</text>
<text x="340" y="180">Claims</text>
<text x="384" y="180">Set</text>
<text x="424" y="180">(CCS)</text>
<text x="492" y="180">containing</text>
<text x="272" y="196">a</text>
<text x="316" y="196">COSE_Key</text>
<text x="364" y="196">in</text>
<text x="384" y="196">a</text>
<text x="416" y="196">'cnf'</text>
<text x="464" y="196">claim</text>
<text x="504" y="196">and</text>
<text x="300" y="212">possibly</text>
<text x="360" y="212">other</text>
<text x="416" y="212">claims.</text>
<text x="464" y="212">CCS</text>
<text x="492" y="212">is</text>
<text x="296" y="228">defined</text>
<text x="340" y="228">in</text>
<text x="368" y="228">RFC</text>
<text x="408" y="228">8392.</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+------+-------+---------------+------------------------------------+
| Name | Label | Value Type | Description |
+======+=======+===============+====================================+
| kcwt | TBD1 | COSE_Messages | A CBOR Web Token (CWT) containing |
| | | | a COSE_Key in a 'cnf' claim and |
| | | | possibly other claims. CWT is |
| | | | defined in RFC 8392. COSE_Messages |
| | | | is defined in RFC 9052. |
+------+-------+---------------+------------------------------------+
| kccs | TBD2 | map | A CWT Claims Set (CCS) containing |
| | | | a COSE_Key in a 'cnf' claim and |
| | | | possibly other claims. CCS is |
| | | | defined in RFC 8392. |
+------+-------+---------------+------------------------------------+
]]></artwork>
</artset>
</figure>
</section> </section>
<section anchor="well-known"> <section anchor="well-known">
<name>The Well-Known URI Registry</name> <name>Well-Known URI Registry</name>
<t>IANA is requested to add the well-known URI "edhoc" to the "Well-Know <t>IANA has added the well-known URI "edhoc" to the "Well-Known URIs" re
n URIs" registry.</t> gistry.</t>
<ul spacing="normal"> <dl>
<li>URI suffix: edhoc</li> <dt>URI Suffix:</dt><dd>edhoc</dd>
<li>Change controller: IETF</li> <dt>Change Controller:</dt><dd>IETF</dd>
<li>Specification document(s): [[this document]]</li> <dt>Reference:</dt><dd>RFC 9528</dd>
<li>Related information: None</li> <dt>Related Information:</dt><dd> None</dd>
</ul> </dl>
</section> </section>
<section anchor="media-type"> <section anchor="media-type">
<name>Media Types Registry</name> <name>Media Types Registry</name>
<t>IANA is requested to add the media types "application/edhoc+cbor-seq" and "application/cid-edhoc+cbor-seq" to the "Media Types" registry.</t> <t>IANA has added the media types "application/edhoc+cbor-seq" and "appl ication/cid-edhoc+cbor-seq" to the "Media Types" registry.</t>
<section anchor="applicationedhoccbor-seq-media-type-registration"> <section anchor="applicationedhoccbor-seq-media-type-registration">
<name>application/edhoc+cbor-seq Media Type Registration</name> <name>application/edhoc+cbor-seq Media Type Registration</name>
<ul spacing="normal"> <dl>
<li>Type name: application</li> <dt>Type name:</dt><dd> application</dd>
<li>Subtype name: edhoc+cbor-seq</li> <dt>Subtype name:</dt><dd> edhoc+cbor-seq</dd>
<li>Required parameters: N/A</li> <dt>Required parameters:</dt><dd> N/A</dd>
<li>Optional parameters: N/A</li> <dt>Optional parameters:</dt><dd> N/A</dd>
<li>Encoding considerations: binary</li> <dt>Encoding considerations:</dt><dd> binary</dd>
<li>Security considerations: See Section 7 of this document.</li> <dt>Security considerations:</dt><dd>See <xref target="duplication"/
<li>Interoperability considerations: N/A</li> > of RFC 9528.</dd>
<li>Published specification: [[this document]] (this document)</li> <dt>Interoperability considerations:</dt><dd> N/A</dd>
<li>Applications that use this media type: To be identified</li> <dt>Published specification:</dt><dd>RFC 9528</dd>
<li>Fragment identifier considerations: N/A</li> <dt>Applications that use this media type:</dt><dd> To be identified
<li> </dd>
<t>Additional information: </t> <dt>Fragment identifier considerations:</dt><dd> N/A</dd>
<ul spacing="normal">
<li>Magic number(s): N/A</li> <dt>Additional information: </dt>
<li>File extension(s): N/A</li> <dd>
<li>Macintosh file type code(s): N/A</li> <t><br/></t>
</ul> <dl>
</li> <dt>Magic number(s):</dt><dd> N/A</dd>
<li>Person &amp; email address to contact for further information: S <dt>File extension(s):</dt><dd> N/A</dd>
ee "Authors' Addresses" section.</li> <dt>Macintosh file type code(s):</dt><dd> N/A</dd>
<li>Intended usage: COMMON</li> </dl>
<li>Restrictions on usage: N/A</li> </dd>
<li>Author: See "Authors' Addresses" section.</li>
<li>Change Controller: IESG</li> <dt>Person &amp; email address to contact for further information:</
</ul> dt><dd> See "Authors' Addresses" section in RFC 9528.</dd>
</section> <dt>Intended usage:</dt><dd> COMMON</dd>
<dt>Restrictions on usage:</dt><dd> N/A</dd>
<dt>Author:</dt><dd> See "Authors' Addresses" section.</dd>
<dt>Change Controller:</dt><dd> IETF</dd>
</dl>
</section>
<section anchor="applicationcid-edhoccbor-seq-media-type-registration"> <section anchor="applicationcid-edhoccbor-seq-media-type-registration">
<name>application/cid-edhoc+cbor-seq Media Type Registration</name> <name>application/cid-edhoc+cbor-seq Media Type Registration</name>
<ul spacing="normal"> <dl>
<li>Type name: application</li> <dt>Type name:</dt><dd> application</dd>
<li>Subtype name: cid-edhoc+cbor-seq</li> <dt>Subtype name:</dt><dd> cid-edhoc+cbor-seq</dd>
<li>Required parameters: N/A</li> <dt>Required parameters:</dt><dd> N/A</dd>
<li>Optional parameters: N/A</li> <dt>Optional parameters:</dt><dd> N/A</dd>
<li>Encoding considerations: binary</li> <dt>Encoding considerations:</dt><dd> binary</dd>
<li>Security considerations: See Section 7 of this document.</li> <dt>Security considerations:</dt><dd> See <xref target="duplication"
<li>Interoperability considerations: N/A</li> /> of RFC 9528.</dd>
<li>Published specification: [[this document]] (this document)</li> <dt>Interoperability considerations:</dt><dd> N/A</dd>
<li>Applications that use this media type: To be identified</li> <dt>Published specification:</dt><dd>RFC 9528</dd>
<li>Fragment identifier considerations: N/A</li> <dt>Applications that use this media type:</dt><dd> To be identified
<li> </dd>
<t>Additional information: </t> <dt>Fragment identifier considerations:</dt><dd> N/A</dd>
<ul spacing="normal">
<li>Magic number(s): N/A</li> <dt>Additional information:</dt>
<li>File extension(s): N/A</li> <dd>
<li>Macintosh file type code(s): N/A</li> <t><br/></t>
</ul> <dl>
</li> <dt>Magic number(s):</dt><dd> N/A</dd>
<li>Person &amp; email address to contact for further information: S <dt>File extension(s):</dt><dd> N/A</dd>
ee "Authors' Addresses" section.</li> <dt>Macintosh file type code(s):</dt><dd> N/A</dd>
<li>Intended usage: COMMON</li> </dl>
<li>Restrictions on usage: N/A</li> </dd>
<li>Author: See "Authors' Addresses" section.</li>
<li>Change Controller: IESG</li> <dt>Person &amp; email address to contact for further information:</
</ul> dt><dd> See "Authors' Addresses" section in RFC 9528.</dd>
<dt>Intended usage:</dt><dd> COMMON</dd>
<dt>Restrictions on usage:</dt><dd> N/A</dd>
<dt>Author:</dt><dd> See "Authors' Addresses" section.</dd>
<dt>Change Controller:</dt><dd> IETF</dd>
</dl>
</section> </section>
</section> </section>
<section anchor="content-format"> <section anchor="content-format">
<name>CoAP Content-Formats Registry</name> <name>CoAP Content-Formats Registry</name>
<t>IANA is requested to add the media types "application/edhoc+cbor-seq" <t>IANA has added the media types "application/edhoc+cbor-seq" and "appl
and "application/cid-edhoc+cbor-seq" to the "CoAP Content-Formats" registry und ication/cid-edhoc+cbor-seq" to the "CoAP Content-Formats" registry under the reg
er the registry group "Constrained RESTful Environments (CoRE) Parameters".</t> istry group "Constrained RESTful Environments (CoRE) Parameters".</t>
<figure anchor="fig-format-ids">
<name>CoAP Content-Format IDs</name> <table anchor="tab-format-ids">
<artset> <name>CoAP Content-Format IDs</name>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= <thead>
"1.1" height="128" width="584" viewBox="0 0 584 128" class="diagram" text-anchor <tr>
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <th>Content Type</th>
<path d="M 8,32 L 8,112" fill="none" stroke="black"/> <th>Content Coding</th>
<path d="M 272,32 L 272,112" fill="none" stroke="black"/> <th>ID</th>
<path d="M 360,32 L 360,112" fill="none" stroke="black"/> <th>Reference</th>
<path d="M 416,32 L 416,112" fill="none" stroke="black"/> </tr>
<path d="M 576,32 L 576,112" fill="none" stroke="black"/> </thead>
<path d="M 8,32 L 576,32" fill="none" stroke="black"/> <tbody>
<path d="M 8,62 L 576,62" fill="none" stroke="black"/> <tr>
<path d="M 8,66 L 576,66" fill="none" stroke="black"/> <td>application/edhoc+cbor-seq</td>
<path d="M 8,112 L 576,112" fill="none" stroke="black"/> <td>-</td>
<g class="text"> <td>64</td>
<text x="40" y="52">Media</text> <td>RFC 9528</td>
<text x="84" y="52">Type</text> </tr><tr>
<text x="316" y="52">Encoding</text> <td>application/cid-edhoc+cbor-seq</td>
<text x="380" y="52">ID</text> <td>-</td>
<text x="464" y="52">Reference</text> <td>65</td>
<text x="124" y="84">application/edhoc+cbor-seq</text> <td>RFC 9528</td>
<text x="288" y="84">-</text> </tr>
<text x="388" y="84">TBD5</text> </tbody>
<text x="452" y="84">[[this</text> </table>
<text x="524" y="84">document]]</text>
<text x="140" y="100">application/cid-edhoc+cbor-seq</text>
<text x="288" y="100">-</text>
<text x="388" y="100">TBD6</text>
<text x="452" y="100">[[this</text>
<text x="524" y="100">document]]</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+--------------------------------+----------+------+-------------------+
| Media Type | Encoding | ID | Reference |
+================================+==========+======+===================+
| application/edhoc+cbor-seq | - | TBD5 | [[this document]] |
| application/cid-edhoc+cbor-seq | - | TBD6 | [[this document]] |
+--------------------------------+----------+------+-------------------+
]]></artwork>
</artset>
</figure>
</section> </section>
<section anchor="rt"> <section anchor="rt">
<name>Resource Type (rt=) Link Target Attribute Values Registry</name> <name>Resource Type (rt=) Link Target Attribute Values Registry</name>
<t>IANA is requested to add the resource type "core.edhoc" to the "Resou <t>IANA has added the resource type "core.edhoc" to the "Resource Type (
rce Type (rt=) Link Target Attribute Values" registry under the registry group " rt=) Link Target Attribute Values" registry under the registry group "Constraine
Constrained RESTful Environments (CoRE) Parameters".</t> d RESTful Environments (CoRE) Parameters".</t>
<ul spacing="normal"> <dl>
<li>Value: "core.edhoc"</li> <dt>Value:</dt><dd>core.edhoc</dd>
<li>Description: EDHOC resource.</li> <dt>Description:</dt><dd>EDHOC resource</dd>
<li>Reference: [[this document]]</li> <dt>Reference:</dt><dd>RFC 9528</dd>
</ul> </dl>
</section> </section>
<section anchor="expert-review-instructions"> <section anchor="expert-review-instructions">
<name>Expert Review Instructions</name> <name>Expert Review Instructions</name>
<t>The IANA Registries established in this document are defined as "Expe rt Review", "Specification Required" or "Standards Action with Expert Review". This section gives some general guidelines for what the experts should be lookin g for, but they are being designated as experts for a reason so they should be g iven substantial latitude.</t> <t>The IANA registries established in this document are defined as "Expe rt Review", "Specification Required", or "Standards Action with Expert Review". This section gives some general guidelines for what the experts should be looki ng for, but they are being designated as experts for a reason so they should be given substantial latitude.</t>
<t>Expert reviewers should take into consideration the following points: </t> <t>Expert reviewers should take into consideration the following points: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>Clarity and correctness of registrations. Experts are expected to <li>The clarity and correctness of registrations. Experts are expected
check the clarity of purpose and use of the requested entries. Expert needs to m to check the clarity of purpose and use of the requested entries. Expert needs
ake sure the values of algorithms are taken from the right registry, when that i to make sure the values of algorithms are taken from the right registry when tha
s required. Experts should consider requesting an opinion on the correctness of t is required. Experts should consider requesting an opinion on the correctness
registered parameters from relevant IETF working groups. Encodings that do not m of registered parameters from relevant IETF working groups. Encodings that do no
eet these objective of clarity and completeness should not be registered.</li> t meet these objectives of clarity and completeness should not be registered.</l
<li>Experts should take into account the expected usage of fields when i>
approving code point assignment. The length of the encoded value should be weig <li>The expected usage of fields when approving code point assignment.
hed against how many code points of that length are left, the size of device it The length of the encoded value should be weighed against how many code points
will be used on, and the number of code points left that encode to that size.</l of that length are left, the size of device it will be used on, and the number o
i> f code points left that encode to that size.</li>
<li>Even for "Expert Review" specifications are recommended. When spec <li>It is recommended to have a specification even if the registration
ifications are not provided for a request where Expert Review is the assignment procedure is "Expert Review". When specifications are not provided for a reques
policy, the description provided needs to have sufficient information to verify t where Expert Review is the assignment policy, the description provided needs t
the code points above.</li> o have sufficient information to verify the code points as above.</li>
</ul> </ul>
</section> </section>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-rats-eat" to="EAT"/>
<displayreference target="I-D.ietf-lake-reqs" to="LAKE-REQS"/>
<displayreference target="I-D.ietf-core-oscore-edhoc" to="EDHOC-CoAP-OSCORE"/>
<displayreference target="I-D.ietf-cose-cbor-encoded-cert" to="C509-CERTS"/>
<displayreference target="I-D.ietf-core-oscore-key-update" to="KUDOS"/>
<displayreference target="I-D.ietf-lwig-curve-representations" to="CURVE-REPR"/>
<displayreference target="I-D.ietf-iotops-security-protocol-comparison" to="CoAP
-SEC-PROT"/>
<displayreference target="I-D.irtf-cfrg-det-sigs-with-noise" to="HEDGED-ECC-SIGS
"/>
<displayreference target="I-D.ietf-lake-authz" to="LAKE-AUTHZ"/>
<displayreference target="I-D.arkko-arch-internet-threat-model-guidance" to="THR
EAT-MODEL-GUIDANCE"/>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"
<front> />
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"
le> />
<author fullname="S. Bradner" initials="S." surname="Bradner"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"
<date month="March" year="1997"/> />
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml"
<t>In many standards track documents several words are used to sig />
nify the requirements in the specification. These words are often capitalized. T <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"
his document defines these words as they should be interpreted in IETF documents />
. This document specifies an Internet Best Current Practices for the Internet Co <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml"
mmunity, and requests discussion and suggestions for improvements.</t> />
</abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml"
</front> />
<seriesInfo name="BCP" value="14"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml"
<seriesInfo name="RFC" value="2119"/> />
<seriesInfo name="DOI" value="10.17487/RFC2119"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"
</reference> />
<reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"
279" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml"> />
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"
<title>Algorithms and Identifiers for the Internet X.509 Public Key />
Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"
<author fullname="L. Bassham" initials="L." surname="Bassham"/> />
<author fullname="W. Polk" initials="W." surname="Polk"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"
<author fullname="R. Housley" initials="R." surname="Housley"/> />
<date month="April" year="2002"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"
<abstract> />
<t>This document specifies algorithm identifiers and ASN.1 encodin <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml"
g formats for digital signatures and subject public keys used in the Internet X. />
509 Public Key Infrastructure (PKI). Digital signatures are used to sign certifi <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"
cates and certificate revocation list (CRLs). Certificates include the public ke />
y of the named subject. [STANDARDS-TRACK]</t> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml"
</abstract> />
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml"
<seriesInfo name="RFC" value="3279"/> />
<seriesInfo name="DOI" value="10.17487/RFC3279"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml"
</reference> />
<reference anchor="RFC3552" target="https://www.rfc-editor.org/info/rfc3 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml"
552" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"> />
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"
<title>Guidelines for Writing RFC Text on Security Considerations</t />
itle> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml"
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/> />
<author fullname="B. Korver" initials="B." surname="Korver"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml"
<date month="July" year="2003"/> />
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml"
<t>All RFCs are required to have a Security Considerations section />
. Historically, such sections have been relatively weak. This document provides <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml"
guidelines to RFC authors on how to write a good Security Considerations section />
. This document specifies an Internet Best Current Practices for the Internet Co
mmunity, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="72"/>
<seriesInfo name="RFC" value="3552"/>
<seriesInfo name="DOI" value="10.17487/RFC3552"/>
</reference>
<reference anchor="RFC5116" target="https://www.rfc-editor.org/info/rfc5
116" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml">
<front>
<title>An Interface and Algorithms for Authenticated Encryption</tit
le>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<date month="January" year="2008"/>
<abstract>
<t>This document defines algorithms for Authenticated Encryption w
ith Associated Data (AEAD), and defines a uniform interface and a registry for s
uch algorithms. The interface and registry can be used as an application-indepen
dent set of cryptoalgorithm suites. This approach provides advantages in efficie
ncy and security, and promotes the reuse of crypto implementations. [STANDARDS-T
RACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5116"/>
<seriesInfo name="DOI" value="10.17487/RFC5116"/>
</reference>
<reference anchor="RFC5869" target="https://www.rfc-editor.org/info/rfc5
869" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml">
<front>
<title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)<
/title>
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
<author fullname="P. Eronen" initials="P." surname="Eronen"/>
<date month="May" year="2010"/>
<abstract>
<t>This document specifies a simple Hashed Message Authentication
Code (HMAC)-based key derivation function (HKDF), which can be used as a buildin
g block in various protocols and applications. The key derivation function (KDF)
is intended to support a wide range of applications and requirements, and is co
nservative in its use of cryptographic hash functions. This document is not an I
nternet Standards Track specification; it is published for informational purpose
s.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5869"/>
<seriesInfo name="DOI" value="10.17487/RFC5869"/>
</reference>
<reference anchor="RFC6090" target="https://www.rfc-editor.org/info/rfc6
090" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml">
<front>
<title>Fundamental Elliptic Curve Cryptography Algorithms</title>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<author fullname="K. Igoe" initials="K." surname="Igoe"/>
<author fullname="M. Salter" initials="M." surname="Salter"/>
<date month="February" year="2011"/>
<abstract>
<t>This note describes the fundamental algorithms of Elliptic Curv
e Cryptography (ECC) as they were defined in some seminal references from 1994 a
nd earlier. These descriptions may be useful for implementing the fundamental al
gorithms without using any of the specialized methods that were developed in fol
lowing years. Only elliptic curves defined over fields of characteristic greater
than three are in scope; these curves are those used in Suite B. This document
is not an Internet Standards Track specification; it is published for informatio
nal purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6090"/>
<seriesInfo name="DOI" value="10.17487/RFC6090"/>
</reference>
<reference anchor="RFC6960" target="https://www.rfc-editor.org/info/rfc6
960" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6960.xml">
<front>
<title>X.509 Internet Public Key Infrastructure Online Certificate S
tatus Protocol - OCSP</title>
<author fullname="S. Santesson" initials="S." surname="Santesson"/>
<author fullname="M. Myers" initials="M." surname="Myers"/>
<author fullname="R. Ankney" initials="R." surname="Ankney"/>
<author fullname="A. Malpani" initials="A." surname="Malpani"/>
<author fullname="S. Galperin" initials="S." surname="Galperin"/>
<author fullname="C. Adams" initials="C." surname="Adams"/>
<date month="June" year="2013"/>
<abstract>
<t>This document specifies a protocol useful in determining the cu
rrent status of a digital certificate without requiring Certificate Revocation L
ists (CRLs). Additional mechanisms addressing PKIX operational requirements are
specified in separate documents. This document obsoletes RFCs 2560 and 6277. It
also updates RFC 5912.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6960"/>
<seriesInfo name="DOI" value="10.17487/RFC6960"/>
</reference>
<reference anchor="RFC6979" target="https://www.rfc-editor.org/info/rfc6
979" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6979.xml">
<front>
<title>Deterministic Usage of the Digital Signature Algorithm (DSA)
and Elliptic Curve Digital Signature Algorithm (ECDSA)</title>
<author fullname="T. Pornin" initials="T." surname="Pornin"/>
<date month="August" year="2013"/>
<abstract>
<t>This document defines a deterministic digital signature generat
ion procedure. Such signatures are compatible with standard Digital Signature Al
gorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital sig
natures and can be processed with unmodified verifiers, which need not be aware
of the procedure described therein. Deterministic signatures retain the cryptogr
aphic security features associated with digital signatures but can be more easil
y implemented in various environments, since they do not need access to a source
of high-quality randomness.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6979"/>
<seriesInfo name="DOI" value="10.17487/RFC6979"/>
</reference>
<reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7
252" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml">
<front>
<title>The Constrained Application Protocol (CoAP)</title>
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
<author fullname="K. Hartke" initials="K." surname="Hartke"/>
<author fullname="C. Bormann" initials="C." surname="Bormann"/>
<date month="June" year="2014"/>
<abstract>
<t>The Constrained Application Protocol (CoAP) is a specialized we
b transfer protocol for use with constrained nodes and constrained (e.g., low-po
wer, lossy) networks. The nodes often have 8-bit microcontrollers with small amo
unts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wire
less Personal Area Networks (6LoWPANs) often have high packet error rates and a
typical throughput of 10s of kbit/s. The protocol is designed for machine- to-ma
chine (M2M) applications such as smart energy and building automation.</t>
<t>CoAP provides a request/response interaction model between appl
ication endpoints, supports built-in discovery of services and resources, and in
cludes key concepts of the Web such as URIs and Internet media types. CoAP is de
signed to easily interface with HTTP for integration with the Web while meeting
specialized requirements such as multicast support, very low overhead, and simpl
icity for constrained environments.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7252"/>
<seriesInfo name="DOI" value="10.17487/RFC7252"/>
</reference>
<reference anchor="RFC7748" target="https://www.rfc-editor.org/info/rfc7
748" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml">
<front>
<title>Elliptic Curves for Security</title>
<author fullname="A. Langley" initials="A." surname="Langley"/>
<author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<date month="January" year="2016"/>
<abstract>
<t>This memo specifies two elliptic curves over prime fields that
offer a high level of practical security in cryptographic applications, includin
g Transport Layer Security (TLS). These curves are intended to operate at the ~1
28-bit and ~224-bit security level, respectively, and are generated deterministi
cally based on a list of required properties.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7748"/>
<seriesInfo name="DOI" value="10.17487/RFC7748"/>
</reference>
<reference anchor="RFC7959" target="https://www.rfc-editor.org/info/rfc7
959" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml">
<front>
<title>Block-Wise Transfers in the Constrained Application Protocol
(CoAP)</title>
<author fullname="C. Bormann" initials="C." surname="Bormann"/>
<author fullname="Z. Shelby" initials="Z." role="editor" surname="Sh
elby"/>
<date month="August" year="2016"/>
<abstract>
<t>The Constrained Application Protocol (CoAP) is a RESTful transf
er protocol for constrained nodes and networks. Basic CoAP messages work well fo
r small payloads from sensors and actuators; however, applications will need to
transfer larger payloads occasionally -- for instance, for firmware updates. In
contrast to HTTP, where TCP does the grunt work of segmenting and resequencing,
CoAP is based on datagram transports such as UDP or Datagram Transport Layer Sec
urity (DTLS). These transports only offer fragmentation, which is even more prob
lematic in constrained nodes and networks, limiting the maximum size of resource
representations that can practically be transferred.</t>
<t>Instead of relying on IP fragmentation, this specification exte
nds basic CoAP with a pair of "Block" options for transferring multiple blocks o
f information from a resource representation in multiple request-response pairs.
In many important cases, the Block options enable a server to be truly stateles
s: the server can handle each block transfer separately, with no need for a conn
ection setup or other server-side memory of previous block transfers. Essentiall
y, the Block options provide a minimal way to transfer larger representations in
a block-wise fashion.</t>
<t>A CoAP implementation that does not support these options gener
ally is limited in the size of the representations that can be exchanged, so the
re is an expectation that the Block options will be widely used in CoAP implemen
tations. Therefore, this specification updates RFC 7252.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7959"/>
<seriesInfo name="DOI" value="10.17487/RFC7959"/>
</reference>
<reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8
126" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml">
<front>
<title>Guidelines for Writing an IANA Considerations Section in RFCs
</title>
<author fullname="M. Cotton" initials="M." surname="Cotton"/>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<author fullname="T. Narten" initials="T." surname="Narten"/>
<date month="June" year="2017"/>
<abstract>
<t>Many protocols make use of points of extensibility that use con
stants to identify various protocol parameters. To ensure that the values in the
se fields do not have conflicting uses and to promote interoperability, their al
locations are often coordinated by a central record keeper. For IETF protocols,
that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
<t>To make assignments in a given registry prudently, guidance des
cribing the conditions under which new values should be assigned, as well as whe
n and how modifications to existing values can be made, is needed. This document
defines a framework for the documentation of these guidelines by specification
authors, in order to assure that the provided guidance for the IANA Consideratio
ns is clear and addresses the various issues that are likely in the operation of
a registry.</t>
<t>This is the third edition of this document; it obsoletes RFC 52
26.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="26"/>
<seriesInfo name="RFC" value="8126"/>
<seriesInfo name="DOI" value="10.17487/RFC8126"/>
</reference>
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC8392" target="https://www.rfc-editor.org/info/rfc8
392" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml">
<front>
<title>CBOR Web Token (CWT)</title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/
>
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/
>
<date month="May" year="2018"/>
<abstract>
<t>CBOR Web Token (CWT) is a compact means of representing claims
to be transferred between two parties. The claims in a CWT are encoded in the Co
ncise Binary Object Representation (CBOR), and CBOR Object Signing and Encryptio
n (COSE) is used for added application-layer security protection. A claim is a p
iece of information asserted about a subject and is represented as a name/value
pair consisting of a claim name and a claim value. CWT is derived from JSON Web
Token (JWT) but uses CBOR rather than JSON.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8392"/>
<seriesInfo name="DOI" value="10.17487/RFC8392"/>
</reference>
<reference anchor="RFC8410" target="https://www.rfc-editor.org/info/rfc8
410" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8410.xml">
<front>
<title>Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 fo
r Use in the Internet X.509 Public Key Infrastructure</title>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies algorithm identifiers and ASN.1 encodin
g formats for elliptic curve constructs using the curve25519 and curve448 curves
. The signature algorithms covered are Ed25519 and Ed448. The key agreement algo
rithms covered are X25519 and X448. The encoding for public key, private key, an
d Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8410"/>
<seriesInfo name="DOI" value="10.17487/RFC8410"/>
</reference>
<reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8
610" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml">
<front>
<title>Concise Data Definition Language (CDDL): A Notational Convent
ion to Express Concise Binary Object Representation (CBOR) and JSON Data Structu
res</title>
<author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
<author fullname="C. Vigano" initials="C." surname="Vigano"/>
<author fullname="C. Bormann" initials="C." surname="Bormann"/>
<date month="June" year="2019"/>
<abstract>
<t>This document proposes a notational convention to express Conci
se Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal
is to provide an easy and unambiguous way to express structures for protocol me
ssages and data formats that use CBOR or JSON.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8610"/>
<seriesInfo name="DOI" value="10.17487/RFC8610"/>
</reference>
<reference anchor="RFC8613" target="https://www.rfc-editor.org/info/rfc8
613" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml">
<front>
<title>Object Security for Constrained RESTful Environments (OSCORE)
</title>
<author fullname="G. Selander" initials="G." surname="Selander"/>
<author fullname="J. Mattsson" initials="J." surname="Mattsson"/>
<author fullname="F. Palombini" initials="F." surname="Palombini"/>
<author fullname="L. Seitz" initials="L." surname="Seitz"/>
<date month="July" year="2019"/>
<abstract>
<t>This document defines Object Security for Constrained RESTful E
nvironments (OSCORE), a method for application-layer protection of the Constrain
ed Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE).
OSCORE provides end-to-end protection between endpoints communicating using CoA
P or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks s
upporting a range of proxy operations, including translation between different t
ransport protocols.</t>
<t>Although an optional functionality of CoAP, OSCORE alters CoAP
options processing and IANA registration. Therefore, this document updates RFC 7
252.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8613"/>
<seriesInfo name="DOI" value="10.17487/RFC8613"/>
</reference>
<reference anchor="RFC8724" target="https://www.rfc-editor.org/info/rfc8
724" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8724.xml">
<front>
<title>SCHC: Generic Framework for Static Context Header Compression
and Fragmentation</title>
<author fullname="A. Minaburo" initials="A." surname="Minaburo"/>
<author fullname="L. Toutain" initials="L." surname="Toutain"/>
<author fullname="C. Gomez" initials="C." surname="Gomez"/>
<author fullname="D. Barthel" initials="D." surname="Barthel"/>
<author fullname="JC. Zuniga" initials="JC." surname="Zuniga"/>
<date month="April" year="2020"/>
<abstract>
<t>This document defines the Static Context Header Compression and
fragmentation (SCHC) framework, which provides both a header compression mechan
ism and an optional fragmentation mechanism. SCHC has been designed with Low-Pow
er Wide Area Networks (LPWANs) in mind.</t>
<t>SCHC compression is based on a common static context stored bot
h in the LPWAN device and in the network infrastructure side. This document defi
nes a generic header compression mechanism and its application to compress IPv6/
UDP headers.</t>
<t>This document also specifies an optional fragmentation and reas
sembly mechanism. It can be used to support the IPv6 MTU requirement over the LP
WAN technologies. Fragmentation is needed for IPv6 datagrams that, after SCHC co
mpression or when such compression was not possible, still exceed the Layer 2 ma
ximum payload size.</t>
<t>The SCHC header compression and fragmentation mechanisms are in
dependent of the specific LPWAN technology over which they are used. This docume
nt defines generic functionalities and offers flexibility with regard to paramet
er settings and mechanism choices. This document standardizes the exchange over
the LPWAN between two SCHC entities. Settings and choices specific to a technolo
gy or a product are expected to be grouped into profiles, which are specified in
other documents. Data models for the context and profiles are out of scope.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8724"/>
<seriesInfo name="DOI" value="10.17487/RFC8724"/>
</reference>
<reference anchor="RFC8742" target="https://www.rfc-editor.org/info/rfc8
742" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8742.xml">
<front>
<title>Concise Binary Object Representation (CBOR) Sequences</title>
<author fullname="C. Bormann" initials="C." surname="Bormann"/>
<date month="February" year="2020"/>
<abstract>
<t>This document describes the Concise Binary Object Representatio
n (CBOR) Sequence format and associated media type "application/cbor-seq". A CBO
R Sequence consists of any number of encoded CBOR data items, simply concatenate
d in sequence.</t>
<t>Structured syntax suffixes for media types allow other media ty
pes to build on them and make it explicit that they are built on an existing med
ia type as their foundation. This specification defines and registers "+cbor-seq
" as a structured syntax suffix for CBOR Sequences.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8742"/>
<seriesInfo name="DOI" value="10.17487/RFC8742"/>
</reference>
<reference anchor="RFC8747" target="https://www.rfc-editor.org/info/rfc8
747" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml">
<front>
<title>Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)<
/title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<author fullname="L. Seitz" initials="L." surname="Seitz"/>
<author fullname="G. Selander" initials="G." surname="Selander"/>
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/
>
<date month="March" year="2020"/>
<abstract>
<t>This specification describes how to declare in a CBOR Web Token
(CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a
particular proof-of-possession key. Being able to prove possession of a key is a
lso sometimes described as being the holder-of-key. This specification provides
equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Toke
ns (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and
CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).</
t>
</abstract>
</front>
<seriesInfo name="RFC" value="8747"/>
<seriesInfo name="DOI" value="10.17487/RFC8747"/>
</reference>
<reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8
949" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml">
<front>
<title>Concise Binary Object Representation (CBOR)</title>
<author fullname="C. Bormann" initials="C." surname="Bormann"/>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<date month="December" year="2020"/>
<abstract>
<t>The Concise Binary Object Representation (CBOR) is a data forma
t whose design goals include the possibility of extremely small code size, fairl
y small message size, and extensibility without the need for version negotiation
. These design goals make it different from earlier binary serializations such a
s ASN.1 and MessagePack.</t>
<t>This document obsoletes RFC 7049, providing editorial improveme
nts, new details, and errata fixes while keeping full compatibility with the int
erchange format of RFC 7049. It does not create a new version of the format.</t>
</abstract>
</front>
<seriesInfo name="STD" value="94"/>
<seriesInfo name="RFC" value="8949"/>
<seriesInfo name="DOI" value="10.17487/RFC8949"/>
</reference>
<reference anchor="RFC9052" target="https://www.rfc-editor.org/info/rfc9
052" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9052.xml">
<front>
<title>CBOR Object Signing and Encryption (COSE): Structures and Pro
cess</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="August" year="2022"/>
<abstract>
<t>Concise Binary Object Representation (CBOR) is a data format de
signed for small code size and small message size. There is a need to be able to
define basic security services for this data format. This document defines the
CBOR Object Signing and Encryption (COSE) protocol. This specification describes
how to create and process signatures, message authentication codes, and encrypt
ion using CBOR for serialization. This specification additionally describes how
to represent cryptographic keys using CBOR.</t>
<t>This document, along with RFC 9053, obsoletes RFC 8152.</t>
</abstract>
</front>
<seriesInfo name="STD" value="96"/>
<seriesInfo name="RFC" value="9052"/>
<seriesInfo name="DOI" value="10.17487/RFC9052"/>
</reference>
<reference anchor="RFC9053" target="https://www.rfc-editor.org/info/rfc9
053" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml">
<front>
<title>CBOR Object Signing and Encryption (COSE): Initial Algorithms
</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="August" year="2022"/>
<abstract>
<t>Concise Binary Object Representation (CBOR) is a data format de
signed for small code size and small message size. There is a need to be able to
define basic security services for this data format. This document defines a se
t of algorithms that can be used with the CBOR Object Signing and Encryption (CO
SE) protocol (RFC 9052).</t>
<t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9053"/>
<seriesInfo name="DOI" value="10.17487/RFC9053"/>
</reference>
<reference anchor="RFC9175" target="https://www.rfc-editor.org/info/rfc9
175" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9175.xml">
<front>
<title>Constrained Application Protocol (CoAP): Echo, Request-Tag, a
nd Token Processing</title>
<author fullname="C. Amsüss" initials="C." surname="Amsüss"/>
<author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Ma
ttsson"/>
<author fullname="G. Selander" initials="G." surname="Selander"/>
<date month="February" year="2022"/>
<abstract>
<t>This document specifies enhancements to the Constrained Applica
tion Protocol (CoAP) that mitigate security issues in particular use cases. The
Echo option enables a CoAP server to verify the freshness of a request or to for
ce a client to demonstrate reachability at its claimed network address. The Requ
est-Tag option allows the CoAP server to match block-wise message fragments belo
nging to the same request. This document updates RFC 7252 with respect to the fo
llowing: processing requirements for client Tokens, forbidding non-secure reuse
of Tokens to ensure response-to-request binding when CoAP is used with a securit
y protocol, and amplification mitigation (where the use of the Echo option is no
w recommended).</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9175"/>
<seriesInfo name="DOI" value="10.17487/RFC9175"/>
</reference>
<reference anchor="RFC9360" target="https://www.rfc-editor.org/info/rfc9
360" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9360.xml">
<front>
<title>CBOR Object Signing and Encryption (COSE): Header Parameters
for Carrying and Referencing X.509 Certificates</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="February" year="2023"/>
<abstract>
<t>The CBOR Object Signing and Encryption (COSE) message structure
uses references to keys in general. For some algorithms, additional properties
are defined that carry parameters relating to keys as needed. The COSE Key struc
ture is used for transporting keys outside of COSE messages. This document exten
ds the way that keys can be identified and transported by providing attributes t
hat refer to or contain X.509 certificates.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9360"/>
<seriesInfo name="DOI" value="10.17487/RFC9360"/>
</reference>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC2986" target="https://www.rfc-editor.org/info/rfc2
986" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"
<front> />
<title>PKCS #10: Certification Request Syntax Specification Version <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"
1.7</title> />
<author fullname="M. Nystrom" initials="M." surname="Nystrom"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"
<author fullname="B. Kaliski" initials="B." surname="Kaliski"/> />
<date month="November" year="2000"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml"
<abstract> />
<t>This memo represents a republication of PKCS #10 v1.7 from RSA <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"
Laboratories' Public-Key Cryptography Standards (PKCS) series, and change contro />
l is retained within the PKCS process. The body of this document, except for the <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"
security considerations section, is taken directly from the PKCS #9 v2.0 or the />
PKCS #10 v1.7 document. This memo provides information for the Internet communi <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"
ty.</t> />
</abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml"
</front> />
<seriesInfo name="RFC" value="2986"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml"
<seriesInfo name="DOI" value="10.17487/RFC2986"/> />
</reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"
<reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5 />
280" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml"
<front> />
<title>Internet X.509 Public Key Infrastructure Certificate and Cert <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"
ificate Revocation List (CRL) Profile</title> />
<author fullname="D. Cooper" initials="D." surname="Cooper"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml"
<author fullname="S. Santesson" initials="S." surname="Santesson"/> />
<author fullname="S. Farrell" initials="S." surname="Farrell"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml"
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/> />
<author fullname="R. Housley" initials="R." surname="Housley"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml"
<author fullname="W. Polk" initials="W." surname="Polk"/> />
<date month="May" year="2008"/>
<abstract> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-ra
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif ts-eat.xml"/>
icate revocation list (CRL) for use in the Internet. An overview of this approac
h and model is provided as an introduction. The X.509 v3 certificate format is d <reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.org/doc/
escribed in detail, with additional information regarding the format and semanti html/draft-ietf-lake-reqs-04">
cs of Internet name forms. Standard certificate extensions are described and two <front>
Internet-specific extensions are defined. A set of required certificate extensi <title>Requirements for a Lightweight AKE for OSCORE</title>
ons is specified. The X.509 v2 CRL format is described in detail along with stan <author initials="M." surname="Vučinić" fullname="Mališa Vučinić">
dard and Internet-specific extensions. An algorithm for X.509 certification path <organization>Inria</organization>
validation is described. An ASN.1 module and examples are provided in the appen </author>
dices. [STANDARDS-TRACK]</t> <author initials="G." surname="Selander" fullname="Göran Selander">
</abstract> <organization>Ericsson AB</organization>
</front> </author>
<seriesInfo name="RFC" value="5280"/> <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
<seriesInfo name="DOI" value="10.17487/RFC5280"/> <organization>Ericsson AB</organization>
</reference> </author>
<reference anchor="RFC6194" target="https://www.rfc-editor.org/info/rfc6 <author initials="D." surname="Garcia-Carillo" fullname="Dan Garcia-Carillo">
194" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6194.xml"> <organization>Odin Solutions S.L.</organization>
<front> </author>
<title>Security Considerations for the SHA-0 and SHA-1 Message-Diges <date month="June" day="8" year="2020"/>
t Algorithms</title> </front>
<author fullname="T. Polk" initials="T." surname="Polk"/> <seriesInfo name="Internet-Draft" value="draft-ietf-lake-reqs-04"/>
<author fullname="L. Chen" initials="L." surname="Chen"/> </reference>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <reference anchor="RFC9529" target="https://www.rfc-editor.org/info/rfc9529">
<date month="March" year="2011"/> <front>
<abstract> <title>Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<t>This document includes security considerations for the SHA-0 an <author initials="G." surname="Selander" fullname="Göran Selander">
d SHA-1 message digest algorithm. This document is not an Internet Standards Tra <organization>Ericsson</organization>
ck specification; it is published for informational purposes.</t> </author>
</abstract> <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
</front> <organization>Ericsson</organization>
<seriesInfo name="RFC" value="6194"/> </author>
<seriesInfo name="DOI" value="10.17487/RFC6194"/> <author initials="M." surname="Serafin" fullname="Marek Serafin">
</reference> <organization>ASSA ABLOY</organization>
<reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7 </author>
228" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml"> <author initials="M." surname="Tiloca" fullname="Marco Tiloca">
<front> <organization>RISE</organization>
<title>Terminology for Constrained-Node Networks</title> </author>
<author fullname="C. Bormann" initials="C." surname="Bormann"/> <author initials="M." surname="Vučinić" fullname="Mališa Vučinić">
<author fullname="M. Ersue" initials="M." surname="Ersue"/> <organization>Inria</organization>
<author fullname="A. Keranen" initials="A." surname="Keranen"/> </author>
<date month="May" year="2014"/> <date month="March" year="2024"/>
<abstract> </front>
<t>The Internet Protocol Suite is increasingly used on small devic <seriesInfo name="RFC" value="9529"/>
es with severe constraints on power, memory, and processing resources, creating <seriesInfo name="DOI" value="10.17487/RFC9529"/>
constrained-node networks. This document provides a number of basic terms that h </reference>
ave been useful in the standardization work for constrained-node networks.</t>
</abstract> <xi:include
</front> href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-ed
<seriesInfo name="RFC" value="7228"/> hoc.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC7228"/>
</reference> <reference anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://datatracker.
<reference anchor="RFC7258" target="https://www.rfc-editor.org/info/rfc7 ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-09">
258" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"> <front>
<front> <title>
<title>Pervasive Monitoring Is an Attack</title> CBOR Encoded X.509 Certificates (C509 Certificates)
<author fullname="S. Farrell" initials="S." surname="Farrell"/> </title>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/ <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
> <organization>Ericsson AB</organization>
<date month="May" year="2014"/> </author>
<abstract> <author initials="G." surname="Selander" fullname="Göran Selander">
<t>Pervasive monitoring is a technical attack that should be mitig <organization>Ericsson AB</organization>
ated in the design of IETF protocols, where possible.</t> </author>
</abstract> <author initials="S." surname="Raza" fullname="Shahid Raza">
</front> <organization>RISE AB</organization>
<seriesInfo name="BCP" value="188"/> </author>
<seriesInfo name="RFC" value="7258"/> <author initials="J." surname="Höglund" fullname="Joel Höglund">
<seriesInfo name="DOI" value="10.17487/RFC7258"/> <organization>RISE AB</organization>
</reference> </author>
<reference anchor="RFC7296" target="https://www.rfc-editor.org/info/rfc7 <author initials="M." surname="Furuhed" fullname="Martin Furuhed">
296" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"> <organization>Nexus Group</organization>
<front> </author>
<title>Internet Key Exchange Protocol Version 2 (IKEv2)</title> <date month="March" day="4" year="2024"/>
<author fullname="C. Kaufman" initials="C." surname="Kaufman"/> </front>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> <seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-cert-09"/>
<author fullname="Y. Nir" initials="Y." surname="Nir"/> </reference>
<author fullname="P. Eronen" initials="P." surname="Eronen"/>
<author fullname="T. Kivinen" initials="T." surname="Kivinen"/> <xi:include
<date month="October" year="2014"/> href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-core-oscore-ke
<abstract> y-update.xml"/>
<t>This document describes version 2 of the Internet Key Exchange
(IKE) protocol. IKE is a component of IPsec used for performing mutual authentic <xi:include
ation and establishing and maintaining Security Associations (SAs). This documen href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lwig-curve-rep
t obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 t resentations.xml"/>
o be an Internet Standard.</t>
</abstract> <xi:include
</front> href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-iotops-securit
<seriesInfo name="STD" value="79"/> y-protocol-comparison.xml"/>
<seriesInfo name="RFC" value="7296"/>
<seriesInfo name="DOI" value="10.17487/RFC7296"/> <reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://datatracke
</reference> r.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-02">
<reference anchor="RFC7624" target="https://www.rfc-editor.org/info/rfc7 <front>
624" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7624.xml"> <title>
<front> Hedged ECDSA and EdDSA Signatures
<title>Confidentiality in the Face of Pervasive Surveillance: A Thre </title>
at Model and Problem Statement</title> <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
<author fullname="R. Barnes" initials="R." surname="Barnes"/> <organization>Ericsson</organization>
<author fullname="B. Schneier" initials="B." surname="Schneier"/> </author>
<author fullname="C. Jennings" initials="C." surname="Jennings"/> <author initials="E." surname="Thormarker" fullname="Erik Thormarker">
<author fullname="T. Hardie" initials="T." surname="Hardie"/> <organization>Ericsson</organization>
<author fullname="B. Trammell" initials="B." surname="Trammell"/> </author>
<author fullname="C. Huitema" initials="C." surname="Huitema"/> <author initials="S." surname="Ruohomaa" fullname="Sini Ruohomaa">
<author fullname="D. Borkmann" initials="D." surname="Borkmann"/> <organization>Ericsson</organization>
<date month="August" year="2015"/> </author>
<abstract> <date month="March" day="1" year="2024"/>
<t>Since the initial revelations of pervasive surveillance in 2013 </front>
, several classes of attacks on Internet communications have been discovered. In <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with-noise-02"
this document, we develop a threat model that describes these attacks on Intern />
et confidentiality. We assume an attacker that is interested in undetected, indi </reference>
scriminate eavesdropping. The threat model is based on published, verified attac
ks.</t> <xi:include
</abstract> href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-lake-authz.xml
</front> "/>
<seriesInfo name="RFC" value="7624"/>
<seriesInfo name="DOI" value="10.17487/RFC7624"/> <xi:include
</reference> href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.arkko-arch-internet
<reference anchor="RFC8366" target="https://www.rfc-editor.org/info/rfc8 -threat-model-guidance.xml"/>
366" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml">
<front> <reference anchor="SP-800-56A">
<title>A Voucher Artifact for Bootstrapping Protocols</title>
<author fullname="K. Watsen" initials="K." surname="Watsen"/>
<author fullname="M. Richardson" initials="M." surname="Richardson"/
>
<author fullname="M. Pritikin" initials="M." surname="Pritikin"/>
<author fullname="T. Eckert" initials="T." surname="Eckert"/>
<date month="May" year="2018"/>
<abstract>
<t>This document defines a strategy to securely assign a pledge to
an owner using an artifact signed, directly or indirectly, by the pledge's manu
facturer. This artifact is known as a "voucher".</t>
<t>This document defines an artifact format as a YANG-defined JSON
document that has been signed using a Cryptographic Message Syntax (CMS) struct
ure. Other YANG-derived formats are possible. The voucher artifact is normally g
enerated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing
Authority (MASA)).</t>
<t>This document only defines the voucher artifact, leaving it to
other documents to describe specialized protocols for accessing it.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8366"/>
<seriesInfo name="DOI" value="10.17487/RFC8366"/>
</reference>
<reference anchor="RFC8376" target="https://www.rfc-editor.org/info/rfc8
376" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8376.xml">
<front>
<title>Low-Power Wide Area Network (LPWAN) Overview</title>
<author fullname="S. Farrell" initials="S." role="editor" surname="F
arrell"/>
<date month="May" year="2018"/>
<abstract>
<t>Low-Power Wide Area Networks (LPWANs) are wireless technologies
with characteristics such as large coverage areas, low bandwidth, possibly very
small packet and application-layer data sizes, and long battery life operation.
This memo is an informational overview of the set of LPWAN technologies being c
onsidered in the IETF and of the gaps that exist between the needs of those tech
nologies and the goal of running IP in LPWANs.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8376"/>
<seriesInfo name="DOI" value="10.17487/RFC8376"/>
</reference>
<reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8
446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over t
he Internet in a way that is designed to prevent eavesdropping, tampering, and m
essage forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 im
plementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC8937" target="https://www.rfc-editor.org/info/rfc8
937" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml">
<front>
<title>Randomness Improvements for Security Protocols</title>
<author fullname="C. Cremers" initials="C." surname="Cremers"/>
<author fullname="L. Garratt" initials="L." surname="Garratt"/>
<author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/
>
<author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
<author fullname="C. Wood" initials="C." surname="Wood"/>
<date month="October" year="2020"/>
<abstract>
<t>Randomness is a crucial ingredient for Transport Layer Security
(TLS) and related security protocols. Weak or predictable "cryptographically se
cure" pseudorandom number generators (CSPRNGs) can be abused or exploited for ma
licious purposes. An initial entropy source that seeds a CSPRNG might be weak or
broken as well, which can also lead to critical and systemic security problems.
This document describes a way for security protocol implementations to augment
their CSPRNGs using long-term private keys. This improves randomness from broken
or otherwise subverted CSPRNGs.</t>
<t>This document is a product of the Crypto Forum Research Group (
CFRG) in the IRTF.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8937"/>
<seriesInfo name="DOI" value="10.17487/RFC8937"/>
</reference>
<reference anchor="RFC9000" target="https://www.rfc-editor.org/info/rfc9
000" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml">
<front>
<title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
<author fullname="J. Iyengar" initials="J." role="editor" surname="I
yengar"/>
<author fullname="M. Thomson" initials="M." role="editor" surname="T
homson"/>
<date month="May" year="2021"/>
<abstract>
<t>This document defines the core of the QUIC transport protocol.
QUIC provides applications with flow-controlled streams for structured communica
tion, low-latency connection establishment, and network path migration. QUIC inc
ludes security measures that ensure confidentiality, integrity, and availability
in a range of deployment circumstances. Accompanying documents describe the int
egration of TLS for key negotiation, loss detection, and an exemplary congestion
control algorithm.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9000"/>
<seriesInfo name="DOI" value="10.17487/RFC9000"/>
</reference>
<reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9
147" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml">
<front>
<title>The Datagram Transport Layer Security (DTLS) Protocol Version
1.3</title>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/
>
<author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
<date month="April" year="2022"/>
<abstract>
<t>This document specifies version 1.3 of the Datagram Transport L
ayer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to com
municate over the Internet in a way that is designed to prevent eavesdropping, t
ampering, and message forgery.</t>
<t>The DTLS 1.3 protocol is based on the Transport Layer Security
(TLS) 1.3 protocol and provides equivalent security guarantees with the exceptio
n of order protection / non-replayability. Datagram semantics of the underlying
transport are preserved by the DTLS protocol.</t>
<t>This document obsoletes RFC 6347.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9147"/>
<seriesInfo name="DOI" value="10.17487/RFC9147"/>
</reference>
<reference anchor="RFC9176" target="https://www.rfc-editor.org/info/rfc9
176" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9176.xml">
<front>
<title>Constrained RESTful Environments (CoRE) Resource Directory</t
itle>
<author fullname="C. Amsüss" initials="C." role="editor" surname="Am
süss"/>
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/>
<author fullname="M. Koster" initials="M." surname="Koster"/>
<author fullname="C. Bormann" initials="C." surname="Bormann"/>
<author fullname="P. van der Stok" initials="P." surname="van der St
ok"/>
<date month="April" year="2022"/>
<abstract>
<t>In many Internet of Things (IoT) applications, direct discovery
of resources is not practical due to sleeping nodes or networks where multicast
traffic is inefficient. These problems can be solved by employing an entity cal
led a Resource Directory (RD), which contains information about resources held o
n other servers, allowing lookups to be performed for those resources. The input
to an RD is composed of links, and the output is composed of links constructed
from the information stored in the RD. This document specifies the web interface
s that an RD supports for web servers to discover the RD and to register, mainta
in, look up, and remove information on resources. Furthermore, new target attrib
utes useful in conjunction with an RD are defined.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9176"/>
<seriesInfo name="DOI" value="10.17487/RFC9176"/>
</reference>
<reference anchor="RFC9397" target="https://www.rfc-editor.org/info/rfc9
397" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9397.xml">
<front>
<title>Trusted Execution Environment Provisioning (TEEP) Architectur
e</title>
<author fullname="M. Pei" initials="M." surname="Pei"/>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/
>
<author fullname="D. Thaler" initials="D." surname="Thaler"/>
<author fullname="D. Wheeler" initials="D." surname="Wheeler"/>
<date month="July" year="2023"/>
<abstract>
<t>A Trusted Execution Environment (TEE) is an environment that en
forces the following: any code within the environment cannot be tampered with, a
nd any data used by such code cannot be read or tampered with by any code outsid
e the environment. This architecture document discusses the motivation for desig
ning and standardizing a protocol for managing the lifecycle of Trusted Applicat
ions running inside such a TEE.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9397"/>
<seriesInfo name="DOI" value="10.17487/RFC9397"/>
</reference>
<reference anchor="I-D.ietf-rats-eat" target="https://datatracker.ietf.o
rg/doc/html/draft-ietf-rats-eat-21" xml:base="https://bib.ietf.org/public/rfc/bi
bxml3/reference.I-D.ietf-rats-eat.xml">
<front>
<title>The Entity Attestation Token (EAT)</title>
<author fullname="Laurence Lundblade" initials="L." surname="Lundbla
de">
<organization>Security Theory LLC</organization>
</author>
<author fullname="Giridhar Mandyam" initials="G." surname="Mandyam">
<organization>Qualcomm Technologies Inc.</organization>
</author>
<author fullname="Jeremy O'Donoghue" initials="J." surname="O'Donogh
ue">
<organization>Qualcomm Technologies Inc.</organization>
</author>
<author fullname="Carl Wallace" initials="C." surname="Wallace">
<organization>Red Hound Software, Inc.</organization>
</author>
<date day="30" month="June" year="2023"/>
<abstract>
<t>An Entity Attestation Token (EAT) provides an attested claims s
et that describes state and characteristics of an entity, a device like a smartp
hone, IoT device, network equipment or such. This claims set is used by a relyin
g party, server or service to determine how much it wishes to trust the entity.
An EAT is either a CBOR Web Token (CWT) or JSON Web Token (JWT) with attestation
-oriented claims.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-rats-eat-21"/>
</reference>
<reference anchor="I-D.ietf-lake-reqs" target="https://datatracker.ietf.
org/doc/html/draft-ietf-lake-reqs-04" xml:base="https://bib.ietf.org/public/rfc/
bibxml3/reference.I-D.ietf-lake-reqs.xml">
<front>
<title>Requirements for a Lightweight AKE for OSCORE</title>
<author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
<organization>Inria</organization>
</author>
<author fullname="Göran Selander" initials="G." surname="Selander">
<organization>Ericsson AB</organization>
</author>
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat
tsson">
<organization>Ericsson AB</organization>
</author>
<author fullname="Dan Garcia-Carillo" initials="D." surname="Garcia-
Carillo">
<organization>Odin Solutions S.L.</organization>
</author>
<date day="8" month="June" year="2020"/>
<abstract>
<t>This document compiles the requirements for a lightweight authe
nticated key exchange protocol for OSCORE. This draft has completed a working gr
oup last call (WGLC) in the LAKE working group. Post-WGLC, the requirements are
considered sufficiently stable for the working group to proceed with its work. I
t is not currently planned to publish this draft as an RFC.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-reqs-04"/>
</reference>
<reference anchor="I-D.ietf-lake-traces" target="https://datatracker.iet
f.org/doc/html/draft-ietf-lake-traces-05" xml:base="https://bib.ietf.org/public/
rfc/bibxml3/reference.I-D.ietf-lake-traces.xml">
<front>
<title>Traces of EDHOC</title>
<author fullname="Göran Selander" initials="G." surname="Selander">
<organization>Ericsson</organization>
</author>
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat
tsson">
<organization>Ericsson</organization>
</author>
<author fullname="Marek Serafin" initials="M." surname="Serafin">
<organization>ASSA ABLOY</organization>
</author>
<author fullname="Marco Tiloca" initials="M." surname="Tiloca">
<organization>RISE</organization>
</author>
<date day="28" month="April" year="2023"/>
<abstract>
<t>This document contains some example traces of Ephemeral Diffie-
Hellman Over COSE (EDHOC).</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-traces-05"/>
</reference>
<reference anchor="I-D.ietf-core-oscore-edhoc" target="https://datatrack
er.ietf.org/doc/html/draft-ietf-core-oscore-edhoc-08" xml:base="https://bib.ietf
.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-edhoc.xml">
<front>
<title>Using EDHOC with CoAP and OSCORE</title>
<author fullname="Francesca Palombini" initials="F." surname="Palomb
ini">
<organization>Ericsson</organization>
</author>
<author fullname="Marco Tiloca" initials="M." surname="Tiloca">
<organization>RISE AB</organization>
</author>
<author fullname="Rikard Höglund" initials="R." surname="Höglund">
<organization>RISE AB</organization>
</author>
<author fullname="Stefan Hristozov" initials="S." surname="Hristozov
">
<organization>Fraunhofer AISEC</organization>
</author>
<author fullname="Göran Selander" initials="G." surname="Selander">
<organization>Ericsson</organization>
</author>
<date day="8" month="August" year="2023"/>
<abstract>
<t>The lightweight authenticated key exchange protocol EDHOC can b
e run over CoAP and used by two peers to establish an OSCORE Security Context. T
his document details this use of the EDHOC protocol, by specifying a number of a
dditional and optional mechanisms. These especially include an optimization appr
oach for combining the execution of EDHOC with the first OSCORE transaction. Thi
s combination reduces the number of round trips required to set up an OSCORE Sec
urity Context and to complete an OSCORE transaction using that Security Context.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-edhoc-
08"/>
</reference>
<reference anchor="I-D.ietf-cose-cbor-encoded-cert" target="https://data
tracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-06" xml:base="https:
//bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-cose-cbor-encoded-cert.xml"
>
<front>
<title>CBOR Encoded X.509 Certificates (C509 Certificates)</title>
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat
tsson">
<organization>Ericsson AB</organization>
</author>
<author fullname="Göran Selander" initials="G." surname="Selander">
<organization>Ericsson AB</organization>
</author>
<author fullname="Shahid Raza" initials="S." surname="Raza">
<organization>RISE AB</organization>
</author>
<author fullname="Joel Höglund" initials="J." surname="Höglund">
<organization>RISE AB</organization>
</author>
<author fullname="Martin Furuhed" initials="M." surname="Furuhed">
<organization>Nexus Group</organization>
</author>
<date day="7" month="July" year="2023"/>
<abstract>
<t>This document specifies a CBOR encoding of X.509 certificates.
The resulting certificates are called C509 Certificates. The CBOR encoding suppo
rts a large subset of RFC 5280 and all certificates compatible with the RFC 7925
, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Re
quirements profiles. When used to re-encode DER encoded X.509 certificates, the
CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificate
s with over 50%. The CBOR encoded structure can alternatively be signed directly
("natively signed"), which does not require re- encoding for the signature to b
e verified. The document also specifies C509 COSE headers, a C509 TLS certificat
e type, and a C509 file format.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-cose-cbor-encoded-
cert-06"/>
</reference>
<reference anchor="I-D.ietf-core-oscore-key-update" target="https://data
tracker.ietf.org/doc/html/draft-ietf-core-oscore-key-update-05" xml:base="https:
//bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-oscore-key-update.xml"
>
<front>
<title>Key Update for OSCORE (KUDOS)</title>
<author fullname="Rikard Höglund" initials="R." surname="Höglund">
<organization>RISE AB</organization>
</author>
<author fullname="Marco Tiloca" initials="M." surname="Tiloca">
<organization>RISE AB</organization>
</author>
<date day="10" month="July" year="2023"/>
<abstract>
<t>This document defines Key Update for OSCORE (KUDOS), a lightwei
ght procedure that two CoAP endpoints can use to update their keying material by
establishing a new OSCORE Security Context. Accordingly, it updates the use of
the OSCORE flag bits in the CoAP OSCORE Option as well as the protection of CoAP
response messages with OSCORE, and it deprecates the key update procedure speci
fied in Appendix B.2 of RFC 8613. Thus, this document updates RFC 8613. Also, th
is document defines a procedure that two endpoints can use to update their OSCOR
E identifiers, run either stand-alone or during a KUDOS execution.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-key-up
date-05"/>
</reference>
<reference anchor="I-D.ietf-lwig-curve-representations" target="https://
datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-23" xml:base
="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lwig-curve-represen
tations.xml">
<front>
<title>Alternative Elliptic Curve Representations</title>
<author fullname="Rene Struik" initials="R." surname="Struik">
<organization>Struik Security Consultancy</organization>
</author>
<date day="21" month="January" year="2022"/>
<abstract>
<t>This document specifies how to represent Montgomery curves and
(twisted) Edwards curves as curves in short-Weierstrass form and illustrates how
this can be used to carry out elliptic curve computations leveraging existing i
mplementations and specifications of, e.g., ECDSA and ECDH using NIST prime curv
es. We also provide extensive background material that may be useful for impleme
nters of elliptic curve cryptography.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lwig-curve-represe
ntations-23"/>
</reference>
<reference anchor="I-D.ietf-iotops-security-protocol-comparison" target=
"https://datatracker.ietf.org/doc/html/draft-ietf-iotops-security-protocol-compa
rison-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-i
otops-security-protocol-comparison.xml">
<front>
<title>Comparison of CoAP Security Protocols</title>
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat
tsson">
<organization>Ericsson AB</organization>
</author>
<author fullname="Francesca Palombini" initials="F." surname="Palomb
ini">
<organization>Ericsson AB</organization>
</author>
<author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
<organization>INRIA</organization>
</author>
<date day="11" month="April" year="2023"/>
<abstract>
<t>This document analyzes and compares the sizes of key exchange f
lights and the per-packet message size overheads when using different security p
rotocols to secure CoAP. The described overheads are independent of the underlyi
ng transport. Small message sizes are very important for reducing energy consump
tion, latency, and time to completion in constrained radio network such as Low-P
ower Wide Area Networks (LPWANs). The analyzed security protocols are DTLS 1.2,
DTLS 1.3, TLS 1.2, TLS 1.3, cTLS, EDHOC, OSCORE, and Group OSCORE. The DTLS and
TLS record layers are analyzed with and without 6LoWPAN- GHC compression. DTLS i
s analyzed with and without Connection ID.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-iotops-security-pr
otocol-comparison-02"/>
</reference>
<reference anchor="I-D.irtf-cfrg-det-sigs-with-noise" target="https://da
tatracker.ietf.org/doc/html/draft-irtf-cfrg-det-sigs-with-noise-00" xml:base="ht
tps://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfrg-det-sigs-with-nois
e.xml">
<front>
<title>Deterministic ECDSA and EdDSA Signatures with Additional Rand
omness</title>
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat
tsson">
<organization>Ericsson</organization>
</author>
<author fullname="Erik Thormarker" initials="E." surname="Thormarker
">
<organization>Ericsson</organization>
</author>
<author fullname="Sini Ruohomaa" initials="S." surname="Ruohomaa">
<organization>Ericsson</organization>
</author>
<date day="8" month="August" year="2022"/>
<abstract>
<t>Deterministic elliptic-curve signatures such as deterministic E
CDSA and EdDSA have gained popularity over randomized ECDSA as their security do
not depend on a source of high-quality randomness. Recent research has however
found that implementations of these signature algorithms may be vulnerable to ce
rtain side-channel and fault injection attacks due to their determinism. One cou
ntermeasure to such attacks is to re-add randomness to the otherwise determinist
ic calculation of the per-message secret number. This document updates RFC 6979
and RFC 8032 to recommend constructions with additional randomness for deploymen
ts where side-channel attacks and fault injection attacks are a concern. The upd
ates are invisible to the validator of the signature and compatible with existin
g ECDSA and EdDSA validators.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-det-sigs-with
-noise-00"/>
</reference>
<reference anchor="I-D.selander-lake-authz" target="https://datatracker.
ietf.org/doc/html/draft-selander-lake-authz-03" xml:base="https://bib.ietf.org/p
ublic/rfc/bibxml3/reference.I-D.selander-lake-authz.xml">
<front>
<title>Lightweight Authorization using Ephemeral Diffie-Hellman Over
COSE</title>
<author fullname="Göran Selander" initials="G." surname="Selander">
<organization>Ericsson AB</organization>
</author>
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat
tsson">
<organization>Ericsson AB</organization>
</author>
<author fullname="Mališa Vučinić" initials="M." surname="Vučinić">
<organization>INRIA</organization>
</author>
<author fullname="Michael Richardson" initials="M." surname="Richard
son">
<organization>Sandelman Software Works</organization>
</author>
<author fullname="Aurelio Schellenbaum" initials="A." surname="Schel
lenbaum">
<organization>Institute of Embedded Systems, ZHAW</organization>
</author>
<date day="7" month="July" year="2023"/>
<abstract>
<t>This document describes a procedure for authorizing enrollment
of new devices using the lightweight authenticated key exchange protocol Ephemer
al Diffie-Hellman Over COSE (EDHOC). The procedure is applicable to zero-touch o
nboarding of new devices to a constrained network leveraging trust anchors insta
lled at manufacture time.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-selander-lake-authz-03"
/>
</reference>
<reference anchor="I-D.arkko-arch-internet-threat-model-guidance" target
="https://datatracker.ietf.org/doc/html/draft-arkko-arch-internet-threat-model-g
uidance-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.arkk
o-arch-internet-threat-model-guidance.xml">
<front>
<title>Internet Threat Model Guidance</title>
<author fullname="Jari Arkko" initials="J." surname="Arkko">
<organization>Ericsson</organization>
</author>
<author fullname="Stephen Farrell" initials="S." surname="Farrell">
<organization>Trinity College Dublin</organization>
</author>
<date day="12" month="July" year="2021"/>
<abstract>
<t>Communications security has been at the center of many security
improvements in the Internet. The goal has been to ensure that communications a
re protected against outside observers and attackers. This memo suggests that th
e existing RFC 3552 threat model, while important and still valid, is no longer
alone sufficient to cater for the pressing security and privacy issues seen on t
he Internet today. For instance, it is often also necessary to protect against e
ndpoints that are compromised, malicious, or whose interests simply do not align
with the interests of users. While such protection is difficult, there are some
measures that can be taken and we argue that investigation of these issues is w
arranted. It is particularly important to ensure that as we continue to develop
Internet technology, non-communications security related threats, and privacy is
sues, are properly understood.</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-arkko-arch-internet-thr
eat-model-guidance-00"/>
</reference>
<reference anchor="SP-800-56A" target="https://doi.org/10.6028/NIST.SP.8
00-56Ar3">
<front> <front>
<title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title> <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title>
<author initials="E." surname="Barker"> <author initials="E." surname="Barker">
<organization/> <organization/>
</author> </author>
<author initials="L." surname="Chen"> <author initials="L." surname="Chen">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Roginsky"> <author initials="A." surname="Roginsky">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Vassilev"> <author initials="A." surname="Vassilev">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Davis"> <author initials="R." surname="Davis">
<organization/> <organization/>
</author> </author>
<date year="2018" month="April"/> <date year="2018" month="April"/>
</front> </front>
<seriesInfo name="NIST" value="Special Publication 800-56A Revision 3" /> <seriesInfo name="NIST" value="Special Publication 800-56A Revision 3" />
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar3"/>
</reference> </reference>
<reference anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.8
00-108r1"> <reference anchor="SP-800-108" target="https://doi.org/10.6028/NIST.SP.8
00-108r1-upd1">
<front> <front>
<title>Recommendation for Key Derivation Using Pseudorandom Function s</title> <title>Recommendation for Key Derivation Using Pseudorandom Function s</title>
<author initials="L." surname="Chen"> <author initials="L." surname="Chen">
<organization/> <organization/>
</author> </author>
<date year="2022" month="August"/> <date year="2022" month="August"/>
</front> </front>
<seriesInfo name="NIST" value="Special Publication 800-108 Revision 1" /> <seriesInfo name="NIST" value="Special Publication 800-108 Revision 1" />
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-108r1-upd1"/>
</reference> </reference>
<reference anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.80 0-185"> <reference anchor="SP800-185" target="https://doi.org/10.6028/NIST.SP.80 0-185">
<front> <front>
<title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelH ash</title> <title>SHA-3 Derived Functions cSHAKE, KMAC, TupleHash and ParallelH ash</title>
<author initials="" surname="John Kelsey"> <author initials="J" surname="Kelsey">
<organization/> <organization/>
</author> </author>
<author initials="" surname="Shu-jen Chang"> <author initials="S" surname="Chang">
<organization/> <organization/>
</author> </author>
<author initials="" surname="Ray Perlner"> <author initials="R" surname="Perlner">
<organization/> <organization/>
</author> </author>
<date year="2016" month="December"/> <date year="2016" month="December"/>
</front> </front>
<seriesInfo name="NIST" value="Special Publication 800-185"/> <seriesInfo name="NIST" value="Special Publication 800-185"/>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-185"/>
</reference> </reference>
<reference anchor="Degabriele11" target="https://eprint.iacr.org/2011/61 5"> <reference anchor="Degabriele11" target="https://eprint.iacr.org/2011/61 5">
<front> <front>
<title>On the Joint Security of Encryption and Signature in EMV</tit le> <title>On the Joint Security of Encryption and Signature in EMV</tit le>
<author initials="J. P." surname="Degabriele"> <author initials="J." surname="Degabriele">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Lehmann"> <author initials="A." surname="Lehmann">
<organization/> <organization/>
</author> </author>
<author initials="K. G." surname="Paterson"> <author initials="K." surname="Paterson">
<organization/> <organization/>
</author> </author>
<author initials="N. P." surname="Smart"> <author initials="N." surname="Smart">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Strefler"> <author initials="M." surname="Strefler">
<organization/> <organization/>
</author> </author>
<date year="2011" month="December"/> <date year="2011" month="December"/>
</front> </front>
</reference> </reference>
<reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post- quantum-cryptography/faqs"> <reference anchor="NISTPQC" target="https://csrc.nist.gov/Projects/post- quantum-cryptography/faqs">
<front> <front>
<title>Post-Quantum Cryptography FAQs</title> <title>Post-Quantum Cryptography FAQs</title>
<author> <author>
<organization/> <organization>National Institute Standards and Technology (NIST)</ organization>
</author> </author>
<date year="2023" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="SECG" target="https://www.secg.org/sec1-v2.pdf"> <reference anchor="SECG" target="https://www.secg.org/sec1-v2.pdf">
<front> <front>
<title>Standards for Efficient Cryptography 1 (SEC 1)</title> <title>SEC 1: Elliptic Curve Cryptography</title>
<author> <author>
<organization/> <organization>Certicom Research</organization>
</author> </author>
<date year="2009" month="May"/> <date year="2009" month="May"/>
</front> </front>
<refcontent>Standards for Efficient Cryptography</refcontent>
</reference> </reference>
<reference anchor="SIGMA" target="https://www.iacr.org/cryptodb/archive/ 2003/CRYPTO/1495/1495.pdf"> <reference anchor="SIGMA" target="https://www.iacr.org/cryptodb/archive/ 2003/CRYPTO/1495/1495.pdf">
<front> <front>
<title>SIGMA - The 'SIGn-and-MAc' Approach to Authenticated Diffie-H ellman and Its Use in the IKE-Protocols</title> <title>SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-He llman and Its Use in the IKE-Protocols</title>
<author initials="H." surname="Krawczyk"> <author initials="H." surname="Krawczyk">
<organization/> <organization/>
</author> </author>
<date year="2003" month="June"/> <date year="2003" month="June"/>
</front> </front>
</reference> </reference>
<reference anchor="HKDFpaper" target="https://eprint.iacr.org/2010/264.p df"> <reference anchor="HKDFpaper" target="https://eprint.iacr.org/2010/264.p df">
<front> <front>
<title>Cryptographic Extraction and Key Derivation: The HKDF Scheme< /title> <title>Cryptographic Extraction and Key Derivation: The HKDF Scheme< /title>
<author initials="H." surname="Krawczyk"> <author initials="H." surname="Krawczyk">
<organization/> <organization/>
</author> </author>
<date year="2010" month="May"/> <date year="2010" month="May"/>
</front> </front>
</reference> </reference>
<reference anchor="Thormarker21" target="https://eprint.iacr.org/2021/50 9.pdf"> <reference anchor="Thormarker21" target="https://eprint.iacr.org/2021/50 9.pdf">
<front> <front>
<title>On using the same key pair for Ed25519 and an X25519 based KE M</title> <title>On using the same key pair for Ed25519 and an X25519 based KE M</title>
<author initials="E." surname="Thormarker"> <author initials="E." surname="Thormarker">
<organization/> <organization/>
</author> </author>
<date year="2021" month="April"/> <date year="2021" month="April"/>
</front> </front>
</reference> </reference>
<reference anchor="CNSA" target="https://en.wikipedia.org/wiki/Commercia
l_National_Security_Algorithm_Suite"> <reference anchor="CNSA" target="https://en.wikipedia.org/w/index.php?ti
tle=Commercial_National_Security_Algorithm_Suite&amp;oldid=1181333611">
<front> <front>
<title>Commercial National Security Algorithm Suite</title> <title>Commercial National Security Algorithm Suite</title>
<author initials="" surname="NSA"> <author>
<organization/> <organization>Wikipedia</organization>
</author> </author>
<date year="2015" month="August"/> <date year="2023" month="October"/>
</front> </front>
</reference> </reference>
<reference anchor="GuentherIlunga22" target="https://eprint.iacr.org/202 2/1705"> <reference anchor="GuentherIlunga22" target="https://eprint.iacr.org/202 2/1705">
<front> <front>
<title>Careful with MAc-then-SIGn: A Computational Analysis of the E DHOC Lightweight Authenticated Key Exchange Protocol</title> <title>Careful with MAc-then-SIGn: A Computational Analysis of the E DHOC Lightweight Authenticated Key Exchange Protocol</title>
<author initials="F." surname="Günther"> <author initials="F." surname="Günther">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Ilunga"> <author initials="M." surname="Mukendi">
<organization/> <organization/>
</author> </author>
<date year="2022" month="December"/> <date year="2022" month="December"/>
</front> </front>
</reference> </reference>
<reference anchor="Jacomme23" target="https://hal.inria.fr/hal-03810102/ "> <reference anchor="Jacomme23" target="https://hal.inria.fr/hal-03810102/ ">
<front> <front>
<title>A comprehensive, formal and automated analysis of the EDHOC p rotocol</title> <title>A comprehensive, formal and automated analysis of the EDHOC p rotocol</title>
<author initials="C." surname="Jacomme"> <author initials="C." surname="Jacomme">
<organization/> <organization/>
</author> </author>
<author initials="E." surname="Klein"> <author initials="E." surname="Klein">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Kremer"> <author initials="S." surname="Kremer">
skipping to change at line 3152 skipping to change at line 2303
</author> </author>
<author initials="T." surname="Grønbech Petersen"> <author initials="T." surname="Grønbech Petersen">
<organization/> <organization/>
</author> </author>
<author initials="C." surname="Schürmann"> <author initials="C." surname="Schürmann">
<organization/> <organization/>
</author> </author>
<date year="2018" month="November"/> <date year="2018" month="November"/>
</front> </front>
</reference> </reference>
<reference anchor="CborMe" target="https://cbor.me/"> <reference anchor="CborMe" target="https://cbor.me/">
<front> <front>
<title>CBOR Playground</title> <title>CBOR Playground</title>
<author initials="C." surname="Bormann"> <author initials="C." surname="Bormann">
<organization/> <organization/>
</author> </author>
<date year="2018" month="May"/>
</front> </front>
</reference> </reference>
<reference anchor="Noise" target="https://noiseprotocol.org/noise.html"> <reference anchor="Noise" target="https://noiseprotocol.org/noise.html">
<front> <front>
<title>The Noise Protocol Framework, Revision 34</title> <title>The Noise Protocol Framework</title>
<author initials="T." surname="Perrin"> <author initials="T." surname="Perrin">
<organization/> <organization/>
</author> </author>
<date year="2018" month="July"/> <date year="2018" month="July"/>
</front> </front>
<refcontent>Revision 34</refcontent>
</reference> </reference>
<reference anchor="IEEE.802.15.4-2015" target="https://ieeexplore.ieee.or
g/document/7460875">
<front>
<title>IEEE Standard for Low-Rate Wireless Networks</title>
<author>
<organization>IEEE</organization>
</author>
<date year="2016" month="April"/>
</front>
<seriesInfo name="DOI" value="10.1109/IEEESTD.2016.7460875"/>
</reference>
</references> </references>
</references> </references>
<?line 1918?> <?line 1918?>
<section anchor="transfer"> <section anchor="transfer">
<name>Use with OSCORE and Transfer over CoAP</name> <name>Use with OSCORE and Transfer over CoAP</name>
<t>This appendix describes how to derive an OSCORE security context when E DHOC is used to key OSCORE, and how to transfer EDHOC messages over CoAP. The us e of CoAP or OSCORE with EDHOC is optional, but if you are using CoAP or OSCORE, then certain normative requirements apply as detailed in the subsections.</t> <t>This appendix describes how to derive an OSCORE security context when E DHOC is used to key OSCORE and how to transfer EDHOC messages over CoAP. The use of CoAP or OSCORE with EDHOC is optional, but if you are using CoAP or OSCORE, then certain normative requirements apply as detailed in the subsections.</t>
<section anchor="oscore-ctx-derivation"> <section anchor="oscore-ctx-derivation">
<name>Deriving the OSCORE Security Context</name> <name>Deriving the OSCORE Security Context</name>
<t>This section specifies how to use EDHOC output to derive the OSCORE s ecurity context.</t> <t>This section specifies how to use EDHOC output to derive the OSCORE s ecurity context.</t>
<t>After successful processing of EDHOC message_3, Client and Server der ive Security Context parameters for OSCORE as follows (see Section 3.2 of <xref target="RFC8613"/>):</t> <t>After successful processing of EDHOC message_3, the Client and Server derive Security Context parameters for OSCORE as follows (see <xref target="RFC 8613" section="3.2" sectionFormat="of"/>):</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>The Master Secret and Master Salt SHALL be derived by using the E DHOC_Exporter interface, see <xref target="exporter"/>: <t>The Master Secret and Master Salt <bcp14>SHALL</bcp14> be derived by using the EDHOC_Exporter interface (see <xref target="exporter"/>):
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>The EDHOC Exporter Labels for deriving the OSCORE Master Secre t and the OSCORE Master Salt, are the uints 0 and 1, respectively.</li> <li>The EDHOC Exporter Labels for deriving the OSCORE Master Secre t and OSCORE Master Salt are the uints 0 and 1, respectively.</li>
<li>The context parameter is h'' (0x40), the empty CBOR byte strin g.</li> <li>The context parameter is h'' (0x40), the empty CBOR byte strin g.</li>
<li>By default, oscore_key_length is the key length (in bytes) of the application AEAD Algorithm of the selected cipher suite for the EDHOC sessio n. Also by default, oscore_salt_length has value 8. The Initiator and Responder MAY agree out-of-band on a longer oscore_key_length than the default, and on sho rter or <li>By default, oscore_key_length is the key length (in bytes) of the application AEAD Algorithm of the selected cipher suite for the EDHOC sessio n. Also by default, oscore_salt_length has value 8. The Initiator and Responder <bcp14>MAY</bcp14> agree out-of-band on a longer oscore_key_length than the defa ult and on shorter or
longer than the default oscore_salt_length.</li> longer than the default oscore_salt_length.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<artwork><![CDATA[ <artwork><![CDATA[
Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length )
]]></artwork> ]]></artwork>
<ul spacing="normal"> <ul spacing="normal">
<li>The AEAD Algorithm SHALL be the application AEAD algorithm of the <li>The AEAD Algorithm <bcp14>SHALL</bcp14> be the application AEAD al
selected cipher suite for the EDHOC session.</li> gorithm of the selected cipher suite for the EDHOC session.</li>
<li>The HKDF Algorithm SHALL be the one based on the application hash <li>The HKDF Algorithm <bcp14>SHALL</bcp14> be the one based on the ap
algorithm of the selected cipher suite for the EDHOC session. For example, if SH plication hash algorithm of the selected cipher suite for the EDHOC session. For
A-256 is the application hash algorithm of the selected cipher suite, HKDF SHA-2 example, if SHA-256 is the application hash algorithm of the selected cipher su
56 is used as HKDF Algorithm in the OSCORE Security Context.</li> ite, HKDF SHA-256 is used as the HKDF Algorithm in the OSCORE Security Context.<
<li>The relationship between identifiers in OSCORE and EDHOC is specif /li>
ied in <xref target="ci-oscore"/>. The OSCORE Sender ID and Recipient ID SHALL b <li>The relationship between identifiers in OSCORE and EDHOC is specif
e determined by the EDHOC connection identifiers C_R and C_I for the EDHOC sessi ied in <xref target="ci-oscore"/>. The OSCORE Sender ID and Recipient ID <bcp14>
on as shown in <xref target="fig-edhoc-oscore-id-mapping"/>.</li> SHALL</bcp14> be determined by EDHOC connection identifiers C_R and C_I for the
EDHOC session as shown in <xref target="tab-edhoc-oscore-id-mapping"/>.</li>
</ul> </ul>
<figure anchor="fig-edhoc-oscore-id-mapping">
<name>Usage of connection identifiers in OSCORE.</name> <table anchor="tab-edhoc-oscore-id-mapping">
<artset> <name>Usage of Connection Identifiers in OSCORE</name>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 <thead>
0/svg" version="1.1" height="144" width="488" viewBox="0 0 488 144" class="diagr <tr>
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap <th></th>
="round"> <th>OSCORE Sender ID</th>
<path d="M 8,32 L 8,128" fill="none" stroke="black"/> <th>OSCORE Recipient ID</th>
<path d="M 152,32 L 152,128" fill="none" stroke="black"/> </tr>
<path d="M 304,32 L 304,128" fill="none" stroke="black"/> </thead>
<path d="M 480,32 L 480,128" fill="none" stroke="black"/> <tbody>
<path d="M 8,32 L 480,32" fill="none" stroke="black"/> <tr>
<path d="M 8,62 L 480,62" fill="none" stroke="black"/> <td>EDHOC Initiator</td>
<path d="M 8,66 L 480,66" fill="none" stroke="black"/> <td align="center">C_R</td>
<path d="M 8,96 L 480,96" fill="none" stroke="black"/> <td align="center">C_I</td>
<path d="M 8,128 L 480,128" fill="none" stroke="black"/> </tr><tr>
<g class="text"> <td>EDHOC Responder</td>
<text x="188" y="52">OSCORE</text> <td align="center">C_I</td>
<text x="244" y="52">Sender</text> <td align="center">C_R</td>
<text x="284" y="52">ID</text> </tr>
<text x="340" y="52">OSCORE</text> </tbody>
<text x="408" y="52">Recipient</text> </table>
<text x="460" y="52">ID</text>
<text x="40" y="84">EDHOC</text> <t>The Client and Server <bcp14>SHALL</bcp14> use the parameters above t
<text x="104" y="84">Initiator</text> o establish an OSCORE Security Context, as per <xref target="RFC8613" section="3
<text x="232" y="84">C_R</text> .2.1" sectionFormat="of"/>.</t>
<text x="392" y="84">C_I</text> <t>From then on, the Client and Server retrieve the OSCORE protocol stat
<text x="40" y="116">EDHOC</text> e using the Recipient ID and optionally other transport information such as the
<text x="104" y="116">Responder</text> 5-tuple.</t>
<text x="232" y="116">C_I</text>
<text x="392" y="116">C_R</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art" align="center"><![CDATA[
+-----------------+------------------+---------------------+
| | OSCORE Sender ID | OSCORE Recipient ID |
+=================+==================+=====================+
| EDHOC Initiator | C_R | C_I |
+-----------------+------------------+---------------------+
| EDHOC Responder | C_I | C_R |
+-----------------+------------------+---------------------+
]]></artwork>
</artset>
</figure>
<t>Client and Server SHALL use the parameters above to establish an OSCO
RE Security Context, as per Section 3.2.1 of <xref target="RFC8613"/>.</t>
<t>From then on, Client and Server retrieve the OSCORE protocol state us
ing the Recipient ID, and optionally other transport information such as the 5-t
uple.</t>
</section> </section>
<section anchor="coap"> <section anchor="coap">
<name>Transferring EDHOC over CoAP</name> <name>Transferring EDHOC over CoAP</name>
<t>This section specifies how EDHOC can be transferred as an exchange of <t>This section specifies how EDHOC can be transferred as an exchange of
CoAP <xref target="RFC7252"/> messages. CoAP provides a reliable transport that CoAP <xref target="RFC7252"/> messages. CoAP provides a reliable transport that
can preserve packet ordering, provides flow and congestion control, and handles can preserve packet ordering, provides flow and congestion control, and handles
message duplication. CoAP can also perform fragmentation and mitigate certain d message duplication. CoAP can also perform fragmentation and mitigate certain d
enial-of-service attacks. The underlying CoAP transport should be used in reliab enial-of-service attacks. The underlying CoAP transport should be used in reliab
le mode, in particular when fragmentation is used, to avoid, e.g., situations wi le mode, in particular, when fragmentation is used, to avoid, e.g., situations w
th hanging endpoints waiting for each other.</t> ith hanging endpoints waiting for each other.</t>
<t>EDHOC may run with the Initiator either being CoAP client or CoAP ser <t>EDHOC may run with the Initiator either being a CoAP client or CoAP s
ver. We denote the former by the "forward message flow" (see <xref target="forwa erver. We denote the former by the "forward message flow" (see <xref target="for
rd"/>) and the latter by the "reverse message flow" (see <xref target="reverse"/ ward"/>) and the latter by the "reverse message flow" (see <xref target="reverse
>). By default, we assume the forward message flow, but the roles SHOULD be chos "/>). By default, we assume the forward message flow, but the roles <bcp14>SHOUL
en to protect the most sensitive identity, see <xref target="security"/>.</t> D</bcp14> be chosen to protect the most sensitive identity; see <xref target="se
<t>According to this specification, EDHOC is transferred in POST request curity"/>.</t>
s to the Uri-Path: "/.well-known/edhoc" (see <xref target="well-known"/>), and 2 <t>According to this specification, EDHOC is transferred in POST request
.04 (Changed) responses. An application may define its own path that can be disc s to the Uri-Path: "/.well-known/edhoc" (see <xref target="well-known"/>) and 2.
overed, e.g., using a resource directory <xref target="RFC9176"/>. Client applic 04 (Changed) responses. An application may define its own path that can be disco
ations can use the resource type "core.edhoc" to discover a server's EDHOC resou vered, e.g., using a resource directory <xref target="RFC9176"/>. Client applica
rce, i.e., where to send a request for executing the EDHOC protocol, see <xref t tions can use the resource type "core.edhoc" to discover a server's EDHOC resour
arget="rt"/>. An alternative transfer of the forward message flow is specified i ce, i.e., where to send a request for executing the EDHOC protocol; see <xref ta
n <xref target="I-D.ietf-core-oscore-edhoc"/>.</t> rget="rt"/>. An alternative transfer of the forward message flow is specified in
<t>In order for the server to correlate a message received from a client <xref target="I-D.ietf-core-oscore-edhoc"/>.</t>
to a message previously sent in the same EDHOC session over CoAP, messages sent <t>In order for the server to correlate a message received from a client
by the client SHALL be prepended with the CBOR serialization of the connection to a message previously sent in the same EDHOC session over CoAP, messages sent
identifier which the server has selected, see <xref target="ci-edhoc"/>. This ap by the client <bcp14>SHALL</bcp14> be prepended with the CBOR serialization of
plies both to the forward and the reverse message flows. To indicate a new EDHOC the connection identifier that the server has selected; see <xref target="ci-edh
session in the forward message flow, message_1 SHALL be prepended with the CBOR oc"/>. This applies both to the forward and the reverse message flows. To indica
simple value <tt>true</tt> (0xf5). Even if CoAP is carried over a reliable tran te a new EDHOC session in the forward message flow, message_1 <bcp14>SHALL</bcp1
sport protocol such as TCP, the prepending of identifiers specified here SHALL b 4> be prepended with the CBOR simple value <tt>true</tt> (0xf5). Even if CoAP is
e practiced to enable interoperability independent of how CoAP is transported.</ carried over a reliable transport protocol, such as TCP, the prepending of iden
t> tifiers specified here <bcp14>SHALL</bcp14> be practiced to enable interoperabil
<t>The prepended identifiers are encoded in CBOR and thus self-delimitin ity independent of how CoAP is transported.</t>
g. The representation of identifiers described in <xref target="bstr-repr"/> SHA <t>The prepended identifiers are encoded in CBOR and thus self-delimitin
LL be used. They are sent in front of the actual EDHOC message to keep track of g. The representation of identifiers described in <xref target="bstr-repr"/> <bc
messages in an EDHOC session, and only the part of the body following the identi p14>SHALL</bcp14> be used. They are sent in front of the actual EDHOC message to
fier is used for EDHOC processing. In particular, the connection identifiers wit keep track of messages in an EDHOC session, and only the part of the body follo
hin the EDHOC messages are not impacted by the prepended identifiers.</t> wing the identifier is used for EDHOC processing. In particular, the connection
<t>An EDHOC message has media type application/edhoc+cbor-seq, whereas a identifiers within the EDHOC messages are not impacted by the prepended identifi
n EDHOC message prepended by a connection identifier has media type application/ ers.</t>
cid-edhoc+cbor-seq, see <xref target="content-format"/>.</t> <t>An EDHOC message has media type "application/edhoc+cbor-seq", whereas
<t>To mitigate certain denial-of-service attacks, the CoAP server MAY re an EDHOC message prepended by a connection identifier has media type "applicati
spond to the first POST request with a 4.01 (Unauthorized) containing an Echo op on/cid-edhoc+cbor-seq"; see <xref target="content-format"/>.</t>
tion <xref target="RFC9175"/>. This forces the Initiator to demonstrate reachabi <t>To mitigate certain denial-of-service attacks, the CoAP server <bcp14
lity at its apparent network address. If message fragmentation is needed, the ED >MAY</bcp14> respond to the first POST request with a 4.01 (Unauthorized) contai
HOC messages may be fragmented using the CoAP Block-Wise Transfer mechanism <xre ning an Echo option <xref target="RFC9175"/>. This forces the Initiator to demon
f target="RFC7959"/>.</t> strate reachability at its apparent network address. If message fragmentation is
needed, the EDHOC messages may be fragmented using the CoAP Block-Wise Transfer
mechanism <xref target="RFC7959"/>.</t>
<t>EDHOC error messages need to be transported in response to a message that failed (see <xref target="error"/>). EDHOC error messages transported with CoAP are carried in the payload.</t> <t>EDHOC error messages need to be transported in response to a message that failed (see <xref target="error"/>). EDHOC error messages transported with CoAP are carried in the payload.</t>
<t>Note that the transport over CoAP can serve as a blueprint for other client-server protocols:</t> <t>Note that the transport over CoAP can serve as a blueprint for other client-server protocols:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The client prepends the connection identifier selected by the serv er (or, for message_1, the CBOR simple value <tt>true</tt>) to any request mess age it sends.</li> <li>The client prepends the connection identifier selected by the serv er (or, for message_1, the CBOR simple value <tt>true</tt>) to any request mess age it sends.</li>
<li>The server does not send any such indicator, as responses are matc hed to request by the client-server protocol design.</li> <li>The server does not send any such indicator, as responses are matc hed to request by the client-server protocol design.</li>
</ul> </ul>
<section anchor="forward"> <section anchor="forward">
<name>The Forward Message Flow</name> <name>The Forward Message Flow</name>
<t>In the forward message flow the CoAP client is the Initiator and th e CoAP server is the Responder. This flow protects the client identity against a ctive attackers and the server identity against passive attackers.</t> <t>In the forward message flow, the CoAP client is the Initiator and t he CoAP server is the Responder. This flow protects the client identity against active attackers and the server identity against passive attackers.</t>
<t>In the forward message flow, the CoAP Token enables correlation on the Initiator (client) side, and the prepended C_R enables correlation on the Re sponder (server) side.</t> <t>In the forward message flow, the CoAP Token enables correlation on the Initiator (client) side, and the prepended C_R enables correlation on the Re sponder (server) side.</t>
<ul spacing="normal"> <ul spacing="normal">
<li>EDHOC message_1 is sent in the payload of a POST request from th <li>EDHOC message_1 is sent in the payload of a POST request from th
e client to the server's resource for EDHOC, prepended with the identifier <tt>t e client to the server's resource for EDHOC, prepended with the identifier <tt>t
rue</tt> (0xf5) indicating a new EDHOC session.</li> rue</tt> (0xf5), indicating a new EDHOC session.</li>
<li>EDHOC message_2 or the EDHOC error message is sent from the serv <li>EDHOC message_2 or the EDHOC error message is sent from the serv
er to the client in the payload of the response, in the former case with respons er to the client in the payload of the response, in the former case with respons
e code 2.04 (Changed), in the latter with response code as specified in <xref ta e code 2.04 (Changed) and in the latter with response code as specified in <xref
rget="edhoc-oscore-over-coap"/>.</li> target="edhoc-oscore-over-coap"/>.</li>
<li>EDHOC message_3 or the EDHOC error message is sent from the clie <li>EDHOC message_3 or the EDHOC error message is sent from the clie
nt to the server's resource in the payload of a POST request, prepended with the nt to the server's resource in the payload of a POST request, prepended with con
connection identifier C_R.</li> nection identifier C_R.</li>
<li>If EDHOC message_4 is used, or in case of an error message, it i <li>If EDHOC message_4 is used, or in case of an error message, it i
s sent from the server to the client in the payload of the response, with respon s sent from the server to the client in the payload of the response, with respon
se codes analogously to message_2. In case of an error message sent in response se codes analogously to message_2. In case of an error message sent in response
to message_4, it is sent analogously to error message sent in response to messag to message_4, it is sent analogously to the error message sent in response to me
e_2.</li> ssage_2.</li>
</ul> </ul>
<t>An example of a completed EDHOC session over CoAP in the forward me ssage flow is shown in <xref target="fig-coap1"/>.</t> <t>An example of a completed EDHOC session over CoAP in the forward me ssage flow is shown in <xref target="fig-coap1"/>.</t>
<figure anchor="fig-coap1"> <figure anchor="fig-coap1">
<name>Example of the forward message flow.</name> <name>Example of the Forward Message Flow</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="352" width="496" viewBox="0 0 496 352" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 496 352" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und">
<path d="M 24,48 L 24,336" fill="none" stroke="black"/> <path d="M 24,48 L 24,336" fill="none" stroke="black"/>
<path d="M 112,48 L 112,336" fill="none" stroke="black"/> <path d="M 112,48 L 112,336" fill="none" stroke="black"/>
<path d="M 24,64 L 104,64" fill="none" stroke="black"/> <path d="M 24,64 L 104,64" fill="none" stroke="black"/>
<path d="M 32,144 L 112,144" fill="none" stroke="black"/> <path d="M 32,144 L 112,144" fill="none" stroke="black"/>
<path d="M 24,208 L 104,208" fill="none" stroke="black"/> <path d="M 24,208 L 104,208" fill="none" stroke="black"/>
<path d="M 32,288 L 112,288" fill="none" stroke="black"/> <path d="M 32,288 L 112,288" fill="none" stroke="black"/>
<polygon class="arrowhead" points="112,208 100,202.4 100,213.6 " fill="black" transform="rotate(0,104,208)"/> <polygon class="arrowhead" points="112,208 100,202.4 100,213.6 " fill="black" transform="rotate(0,104,208)"/>
<polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/> <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/>
<polygon class="arrowhead" points="40,288 28,282.4 28,293.6" f ill="black" transform="rotate(180,32,288)"/> <polygon class="arrowhead" points="40,288 28,282.4 28,293.6" f ill="black" transform="rotate(180,32,288)"/>
<polygon class="arrowhead" points="40,144 28,138.4 28,149.6" f ill="black" transform="rotate(180,32,144)"/> <polygon class="arrowhead" points="40,144 28,138.4 28,149.6" f ill="black" transform="rotate(180,32,144)"/>
skipping to change at line 3359 skipping to change at line 2505
| | Content-Format: application/cid-edhoc+cbor-seq | | Content-Format: application/cid-edhoc+cbor-seq
| | Payload: C_R, EDHOC message_3 | | Payload: C_R, EDHOC message_3
| | | |
|<---------+ Header: 2.04 Changed |<---------+ Header: 2.04 Changed
| 2.04 | Content-Format: application/edhoc+cbor-seq | 2.04 | Content-Format: application/edhoc+cbor-seq
| | Payload: EDHOC message_4 | | Payload: EDHOC message_4
| | | |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>The forward message flow of EDHOC can be combined with an OSCORE ex change in a total of two round-trips, see <xref target="I-D.ietf-core-oscore-edh oc"/>.</t> <t>The forward message flow of EDHOC can be combined with an OSCORE ex change in a total of two round trips; see <xref target="I-D.ietf-core-oscore-edh oc"/>.</t>
</section> </section>
<section anchor="reverse"> <section anchor="reverse">
<name>The Reverse Message Flow</name> <name>The Reverse Message Flow</name>
<t>In the reverse message flow the CoAP client is the Responder and th e CoAP server is the Initiator. This flow protects the server identity against a ctive attackers and the client identity against passive attackers.</t> <t>In the reverse message flow, the CoAP client is the Responder and t he CoAP server is the Initiator. This flow protects the server identity against active attackers and the client identity against passive attackers.</t>
<t>In the reverse message flow, the CoAP Token enables correlation on the Responder (client) side, and the prepended C_I enables correlation on the In itiator (server) side.</t> <t>In the reverse message flow, the CoAP Token enables correlation on the Responder (client) side, and the prepended C_I enables correlation on the In itiator (server) side.</t>
<ul spacing="normal"> <ul spacing="normal">
<li>To trigger a new EDHOC session, the client makes an empty POST r equest to the server's resource for EDHOC.</li> <li>To trigger a new EDHOC session, the client makes an empty POST r equest to the server's resource for EDHOC.</li>
<li>EDHOC message_1 is sent from the server to the client in the pay load of the response with response code 2.04 (Changed).</li> <li>EDHOC message_1 is sent from the server to the client in the pay load of the response with response code 2.04 (Changed).</li>
<li>EDHOC message_2 or the EDHOC error message is sent from the clie <li>EDHOC message_2 or the EDHOC error message is sent from the clie
nt to the server's resource in the payload of a POST request, prepended with the nt to the server's resource in the payload of a POST request, prepended with con
connection identifier C_I.</li> nection identifier C_I.</li>
<li>EDHOC message_3 or the EDHOC error message is sent from the serv <li>EDHOC message_3 or the EDHOC error message is sent from the serv
er to the client in the payload of the response, in the former case with respons er to the client in the payload of the response, in the former case with respons
e code 2.04 (Changed), in the latter with response code as specified in <xref ta e code 2.04 (Changed) and in the latter with response code as specified in <xref
rget="edhoc-oscore-over-coap"/>.</li> target="edhoc-oscore-over-coap"/>.</li>
<li>If EDHOC message_4 is used, or in case of an error message, it i <li>If EDHOC message_4 is used, or in case of an error message, it i
s sent from the client to the server's resource in the payload of a POST request s sent from the client to the server's resource in the payload of a POST request
, prepended with the connection identifier C_I. In case of an error message sent , prepended with connection identifier C_I. In case of an error message sent in
in response to message_4, it is sent analogously to an error message sent in re response to message_4, it is sent analogously to an error message sent in respon
sponse to message_2.</li> se to message_2.</li>
</ul> </ul>
<t>An example of a completed EDHOC session over CoAP in the reverse me ssage flow is shown in <xref target="fig-coap2"/>.</t> <t>An example of a completed EDHOC session over CoAP in the reverse me ssage flow is shown in <xref target="fig-coap2"/>.</t>
<figure anchor="fig-coap2"> <figure anchor="fig-coap2">
<name>Example of the reverse message flow.</name> <name>Example of the Reverse Message Flow</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="320" width="496" viewBox="0 0 496 320" class="dia gram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linec ap="round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2 000/svg" version="1.1" height="" width="" viewBox="0 0 496 320" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="ro und">
<path d="M 24,48 L 24,304" fill="none" stroke="black"/> <path d="M 24,48 L 24,304" fill="none" stroke="black"/>
<path d="M 112,48 L 112,304" fill="none" stroke="black"/> <path d="M 112,48 L 112,304" fill="none" stroke="black"/>
<path d="M 24,64 L 104,64" fill="none" stroke="black"/> <path d="M 24,64 L 104,64" fill="none" stroke="black"/>
<path d="M 32,112 L 112,112" fill="none" stroke="black"/> <path d="M 32,112 L 112,112" fill="none" stroke="black"/>
<path d="M 24,176 L 104,176" fill="none" stroke="black"/> <path d="M 24,176 L 104,176" fill="none" stroke="black"/>
<path d="M 32,256 L 112,256" fill="none" stroke="black"/> <path d="M 32,256 L 112,256" fill="none" stroke="black"/>
<polygon class="arrowhead" points="112,176 100,170.4 100,181.6 " fill="black" transform="rotate(0,104,176)"/> <polygon class="arrowhead" points="112,176 100,170.4 100,181.6 " fill="black" transform="rotate(0,104,176)"/>
<polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/> <polygon class="arrowhead" points="112,64 100,58.4 100,69.6" f ill="black" transform="rotate(0,104,64)"/>
<polygon class="arrowhead" points="40,256 28,250.4 28,261.6" f ill="black" transform="rotate(180,32,256)"/> <polygon class="arrowhead" points="40,256 28,250.4 28,261.6" f ill="black" transform="rotate(180,32,256)"/>
<polygon class="arrowhead" points="40,112 28,106.4 28,117.6" f ill="black" transform="rotate(180,32,112)"/> <polygon class="arrowhead" points="40,112 28,106.4 28,117.6" f ill="black" transform="rotate(180,32,112)"/>
skipping to change at line 3454 skipping to change at line 2600
|<---------+ Header: 2.04 Changed |<---------+ Header: 2.04 Changed
| 2.04 | Content-Format: application/edhoc+cbor-seq | 2.04 | Content-Format: application/edhoc+cbor-seq
| | Payload: EDHOC message_3 | | Payload: EDHOC message_3
| | | |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
</section> </section>
<section anchor="edhoc-oscore-over-coap"> <section anchor="edhoc-oscore-over-coap">
<name>Errors in EDHOC over CoAP</name> <name>Errors in EDHOC over CoAP</name>
<t>When using EDHOC over CoAP, EDHOC error messages sent as CoAP respo nses MUST be sent in the payload of error responses, i.e., they MUST specify a C oAP error response code. In particular, it is RECOMMENDED that such error respon ses have response code either 4.00 (Bad Request) in case of client error (e.g., due to a malformed EDHOC message), or 5.00 (Internal Server Error) in case of se rver error (e.g., due to failure in deriving EDHOC keying material). The Content -Format of the error response MUST be set to application/edhoc+cbor-seq, see <xr ef target="content-format"/>.</t> <t>When using EDHOC over CoAP, EDHOC error messages sent as CoAP respo nses <bcp14>MUST</bcp14> be sent in the payload of error responses, i.e., they < bcp14>MUST</bcp14> specify a CoAP error response code. In particular, it is <bcp 14>RECOMMENDED</bcp14> that such error responses have response code either 4.00 (Bad Request) in case of client error (e.g., due to a malformed EDHOC message) o r 5.00 (Internal Server Error) in case of server error (e.g., due to failure in deriving EDHOC keying material). The Content-Format of the error response <bcp14 >MUST</bcp14> be set to "application/edhoc+cbor-seq"; see <xref target="content- format"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="comrep"> <section anchor="comrep">
<name>Compact Representation</name> <name>Compact Representation</name>
<t>This section defines a format for compact representation based on the E lliptic-Curve-Point-to-Octet-String Conversion defined in Section 2.3.3 of <xref target="SECG"/>.</t> <t>This section defines a format for compact representation based on the E lliptic-Curve-Point-to-Octet-String Conversion defined in Section 2.3.3 of <xref target="SECG"/>.</t>
<t>As described in Section 4.2 of <xref target="RFC6090"/> the x-coordinat <t>As described in <xref target="RFC6090" section="4.2" sectionFormat="of"
e of an elliptic curve public key is a suitable representative for the entire po />, the x-coordinate of an elliptic curve public key is a suitable representativ
int whenever scalar multiplication is used as a one-way function. One example is e for the entire point whenever scalar multiplication is used as a one-way funct
ECDH with compact output, where only the x-coordinate of the computed value is ion. One example is ECDH with compact output, where only the x-coordinate of the
used as the shared secret.</t> computed value is used as the shared secret.</t>
<t>In EDHOC, compact representation is used for the ephemeral public keys <t>In EDHOC, compact representation is used for the ephemeral public keys
(G_X and G_Y), see <xref target="cose_key"/>. Using the notation from <xref targ (G_X and G_Y); see <xref target="cose_key"/>. Using the notation from <xref targ
et="SECG"/>, the output is an octet string of length ceil( (log2 q) / 8 ), where et="SECG"/>, the output is an octet string of length ceil( (log2 q) / 8 ), where
ceil(x) is the smallest integer not less than x. See <xref target="SECG"/> for ceil(x) is the smallest integer not less than x. See <xref target="SECG"/> for
a definition of q, M, X, xp, and ~yp. The steps in Section 2.3.3 of <xref target a definition of q, M, X, xp, and ~yp. The steps in Section 2.3.3 of <xref target
="SECG"/> are replaced by:</t> ="SECG"/> are replaced with the following steps:</t>
<ol spacing="normal" type="1"><li>Convert the field element xp to an octet string X of length ceil( (log2 q) / 8 ) octets using the conversion routine spe cified in Section 2.3.5 of <xref target="SECG"/>.</li> <ol spacing="normal" type="1"><li>Convert the field element xp to an octet string X of length ceil( (log2 q) / 8 ) octets using the conversion routine spe cified in Section 2.3.5 of <xref target="SECG"/>.</li>
<li>Output M = X</li> <li>Output M = X.</li>
</ol> </ol>
<t>The encoding of the point at infinity is not supported.</t> <t>The encoding of the point at infinity is not supported.</t>
<t>Compact representation does not change any requirements on validation, see <xref target="crypto"/>. Using compact representation has some security bene fits. An implementation does not need to check that the point is not the point a t infinity (the identity element). Similarly, as not even the sign of the y-coor dinate is encoded, compact representation trivially avoids so-called "benign mal leability" attacks where an attacker changes the sign, see <xref target="SECG"/> .</t> <t>Compact representation does not change any requirements on validation; see <xref target="crypto"/>. Using compact representation has some security bene fits. An implementation does not need to check that the point is not the point a t infinity (the identity element). Similarly, as not even the sign of the y-coor dinate is encoded, compact representation trivially avoids so-called "benign mal leability" attacks where an attacker changes the sign; see <xref target="SECG"/> .</t>
<t>The following may be needed for validation or compatibility with APIs t hat do not support compact representation or do not support the full <xref targe t="SECG"/> format:</t> <t>The following may be needed for validation or compatibility with APIs t hat do not support compact representation or do not support the full <xref targe t="SECG"/> format:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>If a compressed y-coordinate is required, then the value ~yp set to <li>If a compressed y-coordinate is required, then the value ~yp set to
zero can be used. The compact representation described above can in such a case zero can be used. In such a case, the compact representation described above can
be transformed into the SECG point compressed format by prepending it with the s be transformed into the Standards for Efficient Cryptography Group (SECG) point
ingle byte 0x02 (i.e., M = 0x02 || X).</li> -compressed format by prepending it with the single byte 0x02 (i.e., M = 0x02 ||
<li>If an uncompressed y-coordinate is required, then a y-coordinate has X).</li>
to be calculated following Section 2.3.4 of <xref target="SECG"/> or Appendix C <li>If an uncompressed y-coordinate is required, then a y-coordinate has
of <xref target="RFC6090"/>. Any of the square roots (see <xref target="SECG"/> to be calculated following Section 2.3.4 of <xref target="SECG"/> or <xref targ
or <xref target="RFC6090"/>) can be used. The uncompressed SECG format is M = 0 et="RFC6090" sectionFormat="of" section="C"/>. Any of the square roots (see <xre
x04 || X || Y.</li> f target="SECG"/> or <xref target="RFC6090"/>) can be used. The uncompressed SEC
G format is M = 0x04 || X || Y.</li>
</ul> </ul>
<t>For example: The curve P-256 has the parameters (using the notation in <xref target="RFC6090"/>)</t> <t>For example: The curve P-256 has the parameters (using the notation in <xref target="RFC6090"/>):</t>
<ul spacing="normal"> <ul spacing="normal">
<li>p = 2<sup>256</sup> − 2<sup>224</sup> + 2<sup>192</sup> + 2<sup>96</ sup> − 1</li> <li>p = 2<sup>256</sup> - 2<sup>224</sup> + 2<sup>192</sup> + 2<sup>96</ sup> - 1</li>
<li>a = -3</li> <li>a = -3</li>
<li>b = 410583637251521421293261297800472684091144410159937255 <li>b = 410583637251521421293261297800472684091144410159937255
54835256314039467401291</li> 54835256314039467401291</li>
</ul> </ul>
<t>Given an example x:</t> <t>Given an example x:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>x = 115792089183396302095546807154740558443406795108653336 <li>x = 115792089183396302095546807154740558443406795108653336
398970697772788799766525</li> 398970697772788799766525</li>
</ul> </ul>
<t>we can calculate y as the square root w = (x<sup>3</sup> + a <contact f ullname="⋅"/> x + b)<sup>((p + 1)/4)</sup> (mod p)</t> <t>We can calculate y as the square root w = (x<sup>3</sup> + a ⋅ x + b)<s up>((p + 1)/4)</sup> (mod p).</t>
<ul spacing="normal"> <ul spacing="normal">
<li>y = 834387180070192806820075864918626005281451259964015754 <li>y = 834387180070192806820075864918626005281451259964015754
16632522940595860276856</li> 16632522940595860276856</li>
</ul> </ul>
<t>Note that this does not guarantee that (x, y) is on the correct ellipti c curve. A full validation according to Section 5.6.2.3.3 of <xref target="SP-80 0-56A"/> can be achieved by also checking that 0 <contact fullname="≤"/> x &lt; p and that y<sup>2</sup> <contact fullname="≡"/> x<sup>3</sup> + a <contact full name="⋅"/> x + b (mod p).</t> <t>Note that this does not guarantee that (x, y) is on the correct ellipti c curve. A full validation according to Section 5.6.2.3.3 of <xref target="SP-80 0-56A"/> is done by also checking that 0 ≤ x &lt; p and that y<sup>2</sup> ≡ x<s up>3</sup> + a ⋅ x + b (mod p).</t>
</section> </section>
<section anchor="CBORandCOSE"> <section anchor="CBORandCOSE">
<name>Use of CBOR, CDDL, and COSE in EDHOC</name> <name>Use of CBOR, CDDL, and COSE in EDHOC</name>
<t>This Appendix is intended to help implementors not familiar with CBOR < xref target="RFC8949"/>, CDDL <xref target="RFC8610"/>, COSE <xref target="RFC90 52"/>, and HKDF <xref target="RFC5869"/>.</t> <t>This appendix is intended to help implementors not familiar with CBOR < xref target="RFC8949"/>, CDDL <xref target="RFC8610"/>, COSE <xref target="RFC90 52"/>, and HKDF <xref target="RFC5869"/>.</t>
<section anchor="CBOR"> <section anchor="CBOR">
<name>CBOR and CDDL</name> <name>CBOR and CDDL</name>
<t>The Concise Binary Object Representation (CBOR) <xref target="RFC8949 <t>The Concise Binary Object Representation (CBOR) <xref target="RFC8949
"/> is a data format designed for small code size and small message size. CBOR b "/> is a data format designed for small code size and small message size. CBOR b
uilds on the JSON data model but extends it by e.g., encoding binary data direct uilds on the JSON data model but extends it by, e.g., encoding binary data direc
ly without base64 conversion. In addition to the binary CBOR encoding, CBOR also tly without base64 conversion. In addition to the binary CBOR encoding, CBOR als
has a diagnostic notation that is readable and editable by humans. The Concise o has a diagnostic notation that is readable and editable by humans. The Concise
Data Definition Language (CDDL) <xref target="RFC8610"/> provides a way to expre Data Definition Language (CDDL) <xref target="RFC8610"/> provides a way to expr
ss structures for protocol messages and APIs that use CBOR. <xref target="RFC861 ess structures for protocol messages and APIs that use CBOR. <xref target="RFC86
0"/> also extends the diagnostic notation.</t> 10"/> also extends the diagnostic notation.</t>
<t>CBOR data items are encoded to or decoded from byte strings using a t <t>CBOR data items are encoded to or decoded from byte strings using a t
ype-length-value encoding scheme, where the three highest order bits of the init ype-length-value encoding scheme, where the three highest order bits of the init
ial byte contain information about the major type. CBOR supports several types o ial byte contain information about the major type. CBOR supports several types o
f data items, in addition to integers (int, uint), simple values, byte strings ( f data items, integers (int, uint), simple values, byte strings (bstr), and text
bstr), and text strings (tstr), CBOR also supports arrays [] of data items, map strings (tstr). CBOR also supports arrays [] of data items, maps {} of pairs o
s {} of pairs of data items, and sequences <xref target="RFC8742"/> of data item f data items, and sequences <xref target="RFC8742"/> of data items. Some example
s. Some examples are given below.</t> s are given below.</t>
<t>The EDHOC specification sometimes use CDDL names in CBOR diagnostic n <t>The EDHOC specification sometimes use CDDL names in CBOR diagnostic n
otation as in e.g., &lt;&lt; ID_CRED_R, ? EAD_2 &gt;&gt;. This means that EAD_2 otation as in, e.g., &lt;&lt; ID_CRED_R, ? EAD_2 &gt;&gt;. This means that EAD_2
is optional and that ID_CRED_R and EAD_2 should be substituted with their values is optional and that ID_CRED_R and EAD_2 should be substituted with their value
before evaluation. I.e., if ID_CRED_R = { 4 : h'' } and EAD_2 is omitted then & s before evaluation. That is, if ID_CRED_R = { 4 : h'' } and EAD_2 is omitted, t
lt;&lt; ID_CRED_R, ? EAD_2 &gt;&gt; = &lt;&lt; { 4 : h'' } &gt;&gt;, which encod hen &lt;&lt; ID_CRED_R, ? EAD_2 &gt;&gt; = &lt;&lt; { 4 : h'' } &gt;&gt;, which
es to 0x43a10440. We also make use of the occurrence symbol "*", like in e.g., encodes to 0x43a10440. We also make use of the occurrence symbol "*", like in, e
2* int, meaning two or more CBOR integers.</t> .g., 2* int, meaning two or more CBOR integers.</t>
<t>For a complete specification and more examples, see <xref target="RFC 8949"/> and <xref target="RFC8610"/>. We recommend implementors get used to CBOR by using the CBOR playground <xref target="CborMe"/>.</t> <t>For a complete specification and more examples, see <xref target="RFC 8949"/> and <xref target="RFC8610"/>. We recommend implementors get used to CBOR by using the CBOR playground <xref target="CborMe"/>.</t>
<figure anchor="fig-cbor-examples">
<name>Examples of use of CBOR and CDDL.</name> <table anchor="tab-cbor-examples">
<artset> <name>Examples of Use of CBOR and CDDL</name>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/200 <thead>
0/svg" version="1.1" height="304" width="480" viewBox="0 0 480 304" class="diagr <tr>
am" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap <th>Diagnostic</th>
="round"> <th>Encoded</th>
<path d="M 8,48 L 472,48" fill="none" stroke="black"/> <th>Type</th>
<path d="M 8,288 L 472,288" fill="none" stroke="black"/> </tr>
<g class="text"> </thead>
<text x="52" y="36">Diagnostic</text> <tbody>
<text x="200" y="36">Encoded</text> <tr>
<text x="356" y="36">Type</text> <td>1</td>
<text x="16" y="68">1</text> <td>0x01</td>
<text x="188" y="68">0x01</text> <td>unsigned integer</td>
<text x="372" y="68">unsigned</text> </tr><tr>
<text x="440" y="68">integer</text> <td>24</td>
<text x="20" y="84">24</text> <td>0x1818</td>
<text x="196" y="84">0x1818</text> <td>unsigned integer</td>
<text x="372" y="84">unsigned</text> </tr><tr>
<text x="440" y="84">integer</text> <td>-24</td>
<text x="24" y="100">-24</text> <td>0x37</td>
<text x="188" y="100">0x37</text> <td>negative integer</td>
<text x="372" y="100">negative</text> </tr><tr>
<text x="440" y="100">integer</text> <td>-25</td>
<text x="24" y="116">-25</text> <td>0x3818</td>
<text x="196" y="116">0x3818</text> <td>negative integer</td>
<text x="372" y="116">negative</text> </tr><tr>
<text x="440" y="116">integer</text> <td>true</td>
<text x="28" y="132">true</text> <td>0xf5</td>
<text x="188" y="132">0xf5</text> <td>simple value</td>
<text x="364" y="132">simple</text> </tr><tr>
<text x="416" y="132">value</text> <td>h''</td>
<text x="24" y="148">h''</text> <td>0x40</td>
<text x="188" y="148">0x40</text> <td>byte string</td>
<text x="356" y="148">byte</text> </tr><tr>
<text x="404" y="148">string</text> <td>h'12cd'</td>
<text x="40" y="164">h'12cd'</text> <td>0x4212cd</td>
<text x="204" y="164">0x4212cd</text> <td>byte string</td>
<text x="356" y="164">byte</text> </tr><tr>
<text x="404" y="164">string</text> <td>'12cd'</td>
<text x="36" y="180">'12cd'</text> <td>0x4431326364</td>
<text x="220" y="180">0x4431326364</text> <td>byte string</td>
<text x="356" y="180">byte</text> </tr><tr>
<text x="404" y="180">string</text> <td>"12cd"</td>
<text x="36" y="196">"12cd"</text> <td>0x6431326364</td>
<text x="220" y="196">0x6431326364</text> <td>text string</td>
<text x="356" y="196">text</text> </tr><tr>
<text x="404" y="196">string</text> <td>{ 4 : h'cd' }</td>
<text x="16" y="212">{</text> <td>0xa10441cd</td>
<text x="32" y="212">4</text> <td>map</td>
<text x="48" y="212">:</text> </tr><tr>
<text x="80" y="212">h'cd'</text> <td>&lt;&lt; 1, 2, true >></td>
<text x="112" y="212">}</text> <td>0x430102f5</td>
<text x="212" y="212">0xa10441cd</text> <td>byte string</td>
<text x="352" y="212">map</text> </tr><tr>
<text x="20" y="228">&lt;&lt;</text> <td>[ 1, 2, true ]</td>
<text x="44" y="228">1,</text> <td>0x830102f5</td>
<text x="68" y="228">2,</text> <td>array</td>
<text x="100" y="228">true</text> </tr><tr>
<text x="132" y="228">&gt;&gt;</text> <td>( 1, 2, true )</td>
<text x="212" y="228">0x430102f5</text> <td>0x0102f5</td>
<text x="356" y="228">byte</text> <td>sequence</td>
<text x="404" y="228">string</text> </tr><tr>
<text x="16" y="244">[</text> <td> 1, 2, true</td>
<text x="36" y="244">1,</text> <td>0x0102f5</td>
<text x="60" y="244">2,</text> <td>sequence</td>
<text x="92" y="244">true</text> </tr>
<text x="120" y="244">]</text> </tbody>
<text x="212" y="244">0x830102f5</text> </table>
<text x="360" y="244">array</text>
<text x="16" y="260">(</text> </section>
<text x="36" y="260">1,</text>
<text x="60" y="260">2,</text>
<text x="92" y="260">true</text>
<text x="120" y="260">)</text>
<text x="204" y="260">0x0102f5</text>
<text x="372" y="260">sequence</text>
<text x="20" y="276">1,</text>
<text x="44" y="276">2,</text>
<text x="76" y="276">true</text>
<text x="204" y="276">0x0102f5</text>
<text x="372" y="276">sequence</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art" align="center"><![CDATA[
Diagnostic Encoded Type
1 0x01 unsigned integer
24 0x1818 unsigned integer
-24 0x37 negative integer
-25 0x3818 negative integer
true 0xf5 simple value
h'' 0x40 byte string
h'12cd' 0x4212cd byte string
'12cd' 0x4431326364 byte string
"12cd" 0x6431326364 text string
{ 4 : h'cd' } 0xa10441cd map
<< 1, 2, true >> 0x430102f5 byte string
[ 1, 2, true ] 0x830102f5 array
( 1, 2, true ) 0x0102f5 sequence
1, 2, true 0x0102f5 sequence
]]></artwork>
</artset>
</figure>
</section>
<section anchor="CDDL"> <section anchor="CDDL">
<name>CDDL Definitions</name> <name>CDDL Definitions</name>
<t>This section compiles the CDDL definitions for ease of reference.</t> <t>This section compiles the CDDL definitions for ease of reference.</t>
<sourcecode type="CDDL"><![CDATA[ <sourcecode type="CDDL"><![CDATA[
suites = [ 2* int ] / int suites = [ 2* int ] / int
ead = ( ead = (
ead_label : int, ead_label : int,
? ead_value : bstr, ? ead_value : bstr,
) )
skipping to change at line 3634 skipping to change at line 2748
SUITES_I : suites, SUITES_I : suites,
G_X : bstr, G_X : bstr,
C_I : bstr / -24..23, C_I : bstr / -24..23,
? EAD_1, ? EAD_1,
) )
message_2 = ( message_2 = (
G_Y_CIPHERTEXT_2 : bstr, G_Y_CIPHERTEXT_2 : bstr,
) )
PLAINTEXT_2 = (
C_R,
ID_CRED_R : map / bstr / -24..23,
Signature_or_MAC_2 : bstr,
? EAD_2,
)
message_3 = ( message_3 = (
CIPHERTEXT_3 : bstr, CIPHERTEXT_3 : bstr,
) )
PLAINTEXT_3 = (
ID_CRED_I : map / bstr / -24..23,
Signature_or_MAC_3 : bstr,
? EAD_3,
)
message_4 = ( message_4 = (
CIPHERTEXT_4 : bstr, CIPHERTEXT_4 : bstr,
) )
PLAINTEXT_4 = (
? EAD_4,
)
error = ( error = (
ERR_CODE : int, ERR_CODE : int,
ERR_INFO : any, ERR_INFO : any,
) )
info = ( info = (
info_label : int, info_label : int,
context : bstr, context : bstr,
length : uint, length : uint,
) )
]]></sourcecode> ]]></sourcecode>
</section> </section>
<section anchor="COSE"> <section anchor="COSE">
<name>COSE</name> <name>COSE</name>
<t>CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> de scribes how to create and process signatures, message authentication codes, and encryption using CBOR. COSE builds on JOSE, but is adapted to allow more efficie nt processing in constrained devices. EDHOC makes use of COSE_Key, COSE_Encrypt0 , and COSE_Sign1 objects in the message processing:</t> <t>CBOR Object Signing and Encryption (COSE) <xref target="RFC9052"/> de scribes how to create and process signatures, MACs, and encryptions using CBOR. COSE builds on JSON Object Signing and Encryption (JOSE) but is adapted to allow more efficient processing in constrained devices. EDHOC makes use of COSE_Key, COSE_Encrypt0, and COSE_Sign1 objects in the message processing:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>ECDH ephemeral public keys of type EC2 or OKP in message_1 and mes sage_2 consist of the COSE_Key parameter named 'x', see Section 7.1 and 7.2 of < xref target="RFC9053"/></li> <li>ECDH ephemeral public keys of type EC2 or OKP in message_1 and mes sage_2 consist of the COSE_Key parameter named 'x'; see Sections <xref target="R FC9053" section="7.1" sectionFormat="bare"/> and <xref target="RFC9053" section= "7.2" sectionFormat="bare"/> of <xref target="RFC9053"/>.</li>
<li> <li>
<t>The ciphertexts in message_3 and message_4 consist of a subset of the single recipient encrypted data object COSE_Encrypt0, which is described in Sections 5.2-5.3 of <xref target="RFC9052"/>. The ciphertext is computed over t he plaintext and associated data, using an encryption key and an initialization vector. The associated data is an Enc_structure consisting of protected headers and externally supplied data (external_aad). COSE constructs the input to the AE AD <xref target="RFC5116"/> for message_i (i = 3 or 4, see <xref target="m3"/> a nd <xref target="m4"/>, respectively) as follows: </t> <t>The ciphertexts in message_3 and message_4 consist of a subset of the single recipient encrypted data object COSE_Encrypt0, which is described in Sections <xref target="RFC9052" sectionFormat="bare" section="5.2"/> and <xref target="RFC9052" sectionFormat="bare" section="5.3"/> of <xref target="RFC9052"/ >. The ciphertext is computed over the plaintext and associated data, using an e ncryption key and an initialization vector. The associated data is an Enc_struct ure consisting of protected headers and externally supplied data (external_aad). COSE constructs the input to the AEAD <xref target="RFC5116"/> for message_i (i = 3 or 4; see Sections <xref target="m3" format="counter"/> and <xref target="m 4" format="counter"/>, respectively) as follows: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>Secret key K = K_i</li> <li>Secret key K = K_i</li>
<li>Nonce N = IV_i</li> <li>Nonce N = IV_i</li>
<li>Plaintext P for message_i</li> <li>Plaintext P for message_i</li>
<li>Associated Data A = [ "Encrypt0", h'', TH_i ]</li> <li>Associated Data A = [ "Encrypt0", h'', TH_i ]</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>Signatures in message_2 of method 0 and 2, and in message_3 of me thod 0 and 1, consist of a subset of the single signer data object COSE_Sign1, w hich is described in Sections 4.2-4.4 of <xref target="RFC9052"/>. The signature is computed over a Sig_structure containing payload, protected headers and exte rnally supplied data (external_aad) using a private signature key and verified u sing the corresponding public signature key. For COSE_Sign1, the message to be s igned is: </t> <t>Signatures in message_2 of method 0 and 2, and in message_3 of me thod 0 and 1, consist of a subset of the single signer data object COSE_Sign1, w hich is described in Sections <xref target="RFC9052" sectionFormat="bare" secti on="4.2"/> and <xref target="RFC9052" sectionFormat="bare" section="4.4"/> of <x ref target="RFC9052"/>. The signature is computed over a Sig_structure containin g payload, protected headers and externally supplied data (external_aad) using a private signature key, and verified using the corresponding public signature ke y. For COSE_Sign1, the message to be signed is: </t>
<artwork><![CDATA[ <artwork><![CDATA[
[ "Signature1", protected, external_aad, payload ] [ "Signature1", protected, external_aad, payload ]
]]></artwork> ]]></artwork>
<t> <t>
where protected, external_aad and payload are specified in <xref target="m2"/> a nd <xref target="m3"/>.</t> where protected, external_aad, and payload are specified in Sections <xref targe t="m2" format="counter"/> and <xref target="m3" format="counter"/>.</t>
</li> </li>
</ul> </ul>
<t>Different header parameters to identify X.509 or C509 certificates by reference are defined in <xref target="RFC9360"/> and <xref target="I-D.ietf-co se-cbor-encoded-cert"/>:</t> <t>Different header parameters to identify X.509 or C509 certificates by reference are defined in <xref target="RFC9360"/> and <xref target="I-D.ietf-co se-cbor-encoded-cert"/>:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>by a hash value with the 'x5t' or 'c5t' parameters, respectively: </t> <t>by a hash value with the 'x5t' or 'c5t' parameters, respectively: </t>
<ul spacing="normal"> <ul spacing="normal">
<li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R,</li> <li>ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R and</li>
<li>ID_CRED_x = { TBD3 : COSE_CertHash }, for x = I or R;</li> <li>ID_CRED_x = { 22 : COSE_CertHash }, for x = I or R,</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>or by a URI with the 'x5u' or 'c5u' parameters, respectively: </ t> <t>or by a URI with the 'x5u' or 'c5u' parameters, respectively: </ t>
<ul spacing="normal"> <ul spacing="normal">
<li>ID_CRED_x = { 35 : uri }, for x = I or R,</li> <li>ID_CRED_x = { 35 : uri }, for x = I or R, and</li>
<li>ID_CRED_x = { TBD4 : uri }, for x = I or R.</li> <li>ID_CRED_x = { 23 : uri }, for x = I or R.</li>
</ul> </ul>
</li> </li>
</ul> </ul>
<t>When ID_CRED_x does not contain the actual credential, it may be very short, e.g., if the endpoints have agreed to use a key identifier parameter 'ki d':</t> <t>When ID_CRED_x does not contain the actual credential, it may be very short, e.g., if the endpoints have agreed to use a key identifier parameter 'ki d':</t>
<ul spacing="normal"> <ul spacing="normal">
<li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For further optimization, see <xref target="id_cred"/>.</li> <li>ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For further optimization, see <xref target="id_cred"/>.</li>
</ul> </ul>
<t>Note that ID_CRED_x can contain several header parameters, for exampl <t>Note that ID_CRED_x can contain several header parameters, for exampl
e { x5u, x5t } or { kid, kid_context }.</t> e, { x5u, x5t } or { kid, kid_context }.</t>
<t>ID_CRED_x MAY also identify the credential by value. For example, a c <t>ID_CRED_x <bcp14>MAY</bcp14> also identify the credential by value. F
ertificate chain can be transported in an ID_CRED field with COSE header paramet or example, a certificate chain can be transported in an ID_CRED field with COSE
er c5c or x5chain, defined in <xref target="I-D.ietf-cose-cbor-encoded-cert"/> a header parameter c5c or x5chain, as defined in <xref target="I-D.ietf-cose-cbor
nd <xref target="RFC9360"/> and credentials of type CWT and CCS can be transport -encoded-cert"/> and <xref target="RFC9360"/>. Credentials of type CWT and CCS c
ed with the COSE header parameters registered in <xref target="cwt-header-param" an be transported with the COSE header parameters registered in <xref target="cw
/>.</t> t-header-param"/>.</t>
</section> </section>
</section> </section>
<section anchor="auth-validation"> <section anchor="auth-validation">
<name>Authentication Related Verifications</name> <name>Authentication-Related Verifications</name>
<t>EDHOC performs certain authentication related operations, see <xref tar <t>EDHOC performs certain authentication-related operations (see <xref tar
get="auth-key-id"/>, but in general it is necessary to make additional verificat get="auth-key-id"/>), but in general, it is necessary to make additional verific
ions beyond EDHOC message processing. Which verifications that are needed depend ations beyond EDHOC message processing. Which verifications that are needed depe
on the deployment, in particular the trust model and the security policies, but nd on the deployment, in particular, the trust model and the security policies,
most commonly it can be expressed in terms of verifications of credential conte but most commonly, it can be expressed in terms of verifications of credential c
nt.</t> ontent.</t>
<t>EDHOC assumes the existence of mechanisms (certification authority or o <t>EDHOC assumes the existence of mechanisms (certification authority or o
ther trusted third party, pre-provisioning, etc.) for generating and distributin ther trusted third party, pre-provisioning, etc.) for generating and distributin
g authentication credentials and other credentials, as well as the existence of g authentication credentials and other credentials, as well as the existence of
trust anchors (CA certificates, trusted public keys, etc.). For example, a publi trust anchors (CA certificates, trusted public keys, etc.). For example, a publi
c key certificate or CWT may rely on a trusted third party whose public key is p c key certificate or CWT may rely on a trusted third party whose public key is p
re-provisioned, whereas a CCS or a self-signed certificate/CWT may be used when re-provisioned, whereas a CCS or a self-signed certificate / CWT may be used whe
trust in the public key can be achieved by other means, or in the case of Trust n trust in the public key can be achieved by other means, or in the case of trus
on first use, see <xref target="tofu"/>.</t> t on first use, see <xref target="tofu"/>.</t>
<t>In this section we provide some examples of such verifications. These v <t>In this section, we provide some examples of such verifications. These
erifications are the responsibility of the application but may be implemented as verifications are the responsibility of the application but may be implemented a
part of an EDHOC library.</t> s part of an EDHOC library.</t>
<section anchor="validating-auth-credential"> <section anchor="validating-auth-credential">
<name>Validating the Authentication Credential</name> <name>Validating the Authentication Credential</name>
<t>The authentication credential may contain, in addition to the authent ication key, other parameters that needs to be verified. For example:</t> <t>In addition to the authentication key, the authentication credential may contain other parameters that need to be verified. For example:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>In X.509 and C509 certificates, signature keys typically have key <li>In X.509 and C509 certificates, signature keys typically have key
usage "digitalSignature" and Diffie-Hellman public keys typically have key usage usage "digitalSignature", and Diffie-Hellman public keys typically have key usag
"keyAgreement" <xref target="RFC3279"/><xref target="RFC8410"/>.</li> e "keyAgreement" <xref target="RFC3279"/> <xref target="RFC8410"/>.</li>
<li>In X.509 and C509 certificates validity is expressed using Not Aft <li>In X.509 and C509 certificates, validity is expressed using Not Af
er and Not Before. In CWT and CCS, the “exp” and “nbf” claims have similar meani ter and Not Before. In CWT and CCS, the "exp" and "nbf" claims have similar mean
ngs.</li> ings.</li>
</ul> </ul>
</section> </section>
<section anchor="identities"> <section anchor="identities">
<name>Identities</name> <name>Identities</name>
<t>The application must decide on allowing a connection or not depending <t>The application must decide on allowing a connection or not, dependin
on the intended endpoint, and in particular whether it is a specific identity o g on the intended endpoint, and in particular whether it is a specific identity
r in a set of identities. To prevent misbinding attacks, the identity of the end or in a set of identities. To prevent misbinding attacks, the identity of the en
point is included in a MAC verified through the protocol. More details and examp dpoint is included in a MAC verified through the protocol. More details and exam
les are provided in this section.</t> ples are provided in this section.</t>
<t>Policies for what connections to allow are typically set based on the <t>Policies for what connections to allow are typically set based on the
identity of the other endpoint, and endpoints typically only allow connections identity of the other endpoint, and endpoints typically only allow connections
from a specific identity or a small restricted set of identities. For example, i from a specific identity or a small restricted set of identities. For example, i
n the case of a device connecting to a network, the network may only allow conne n the case of a device connecting to a network, the network may only allow conne
ctions from devices which authenticate with certificates having a particular ran ctions from devices that authenticate with certificates having a particular rang
ge of serial numbers and signed by a particular CA. Conversely, a device may onl e of serial numbers and signed by a particular CA. Conversely, a device may only
y be allowed to connect to a network which authenticates with a particular publi be allowed to connect to a network that authenticates with a particular public
c key.</t> key.</t>
<ul spacing="normal"> <ul spacing="normal">
<li>When a Public Key Infrastructure (PKI) is used with certificates, the identity is the subject whose unique name, e.g., a domain name, a Network Ac cess Identifier (NAI), or an Extended Unique Identifier (EUI), is included in th e endpoint's certificate.</li> <li>When a Public Key Infrastructure (PKI) is used with certificates, the identity is the subject whose unique name, e.g., a domain name, a Network Ac cess Identifier (NAI), or an Extended Unique Identifier (EUI), is included in th e endpoint's certificate.</li>
<li>Similarly, when a PKI is used with CWTs, the identity is the subje ct identified by the relevant claim(s), such as 'sub' (subject).</li> <li>Similarly, when a PKI is used with CWTs, the identity is the subje ct identified by the relevant claim(s), such as 'sub' (subject).</li>
<li>When PKI is not used (e.g., CCS, self-signed certificate/CWT) the identity is typically directly associated with the authentication key of the oth er party. For example, if identities can be expressed in the form of unique subj ect names assigned to public keys, then a binding to identity is achieved by inc luding both public key and associated subject name in the authentication credent ial: CRED_I or CRED_R may be a self-signed certificate/CWT or CCS containing the authentication key and the subject name, see <xref target="auth-cred"/>. Each e ndpoint thus needs to know the specific authentication key/unique associated sub ject name, or set of public authentication keys/unique associated subject names, which it is allowed to communicate with.</li> <li>When PKI is not used (e.g., CCS, self-signed certificate / CWT), t he identity is typically directly associated with the authentication key of the other party. For example, if identities can be expressed in the form of unique s ubject names assigned to public keys, then a binding to identity is achieved by including both the public key and associated subject name in the authentication credential. CRED_I or CRED_R may be a self-signed certificate / CWT or CCS conta ining the authentication key and the subject name; see <xref target="auth-cred"/ >. Thus, each endpoint needs to know the specific authentication key / unique as sociated subject name or set of public authentication keys / unique associated s ubject names, which it is allowed to communicate with.</li>
</ul> </ul>
<t>To prevent misbinding attacks in systems where an attacker can regist er public keys without proving knowledge of the private key, SIGMA <xref target= "SIGMA"/> enforces a MAC to be calculated over the "identity". EDHOC follows SIG MA by calculating a MAC over the whole authentication credential, which in case of an X.509 or C509 certificate includes the "subject" and "subjectAltName" fiel ds, and in the case of CWT or CCS includes the "sub" claim.</t> <t>To prevent misbinding attacks in systems where an attacker can regist er public keys without proving knowledge of the private key, SIGMA <xref target= "SIGMA"/> enforces a MAC to be calculated over the "identity". EDHOC follows SIG MA by calculating a MAC over the whole authentication credential, which in case of an X.509 or C509 certificate, includes the "subject" and "subjectAltName" fie lds and, in the case of CWT or CCS, includes the "sub" claim.</t>
<t>(While the SIGMA paper only focuses on the identity, the same princip le is true for other information such as policies associated with the public key .)</t> <t>(While the SIGMA paper only focuses on the identity, the same princip le is true for other information such as policies associated with the public key .)</t>
</section> </section>
<section anchor="cert-path"> <section anchor="cert-path">
<name>Certification Path and Trust Anchors</name> <name>Certification Path and Trust Anchors</name>
<t>When a Public Key Infrastructure (PKI) is used with certificates, the <t>When a Public Key Infrastructure (PKI) is used with certificates, the
trust anchor is a Certification Authority (CA) certificate. Each party needs at trust anchor is a certification authority (CA) certificate. Each party needs at
least one CA public key certificate, or just the CA public key. The certificati least one CA public key certificate or just the CA public key. The certificatio
on path contains proof that the subject of the certificate owns the public key i n path contains proof that the subject of the certificate owns the public key in
n the certificate. Only validated public-key certificates are to be accepted.</t the certificate. Only validated public key certificates are to be accepted.</t>
> <t>Similarly, when a PKI is used with CWTs, each party needs to have at
<t>Similarly, when a PKI is used with CWTs, each party needs to have at least one trusted third-party public key as a trust anchor to verify the end ent
least one trusted third party public key as trust anchor to verify the end entit ity CWTs. The trusted third-party public key can, e.g., be stored in a self-sign
y CWTs. The trusted third party public key can, e.g., be stored in a self-signed ed CWT or in a CCS.</t>
CWT or in a CCS.</t> <t>The signature of the authentication credential needs to be verified w
<t>The signature of the authentication credential needs to be verified w ith the public key of the issuer. X.509 and C509 certificates includes the "Issu
ith the public key of the issuer. X.509 and C509 certificates includes the “Issu er" field. In CWT and CCS, the "iss" claim has a similar meaning. The public key
er” field. In CWT and CCS, the “iss” claim has a similar meaning. The public key is either a trust anchor or the public key in another valid and trusted credent
is either a trust anchor or the public key in another valid and trusted credent ial in a certification path from the trust anchor to the authentication credenti
ial in a certification path from trust anchor to authentication credential.</t> al.</t>
<t>Similar verifications as made with the authentication credential (see <xref target="validating-auth-credential"/>) are also needed for the other cred entials in the certification path.</t> <t>Similar verifications as made with the authentication credential (see <xref target="validating-auth-credential"/>) are also needed for the other cred entials in the certification path.</t>
<t>When PKI is not used (CCS, self-signed certificate/CWT), the trust an chor is the authentication key of the other party, in which case there is no cer tification path.</t> <t>When PKI is not used (CCS and self-signed certificate / CWT), the tru st anchor is the authentication key of the other party; in which case, there is no certification path.</t>
</section> </section>
<section anchor="revocation"> <section anchor="revocation">
<name>Revocation Status</name> <name>Revocation Status</name>
<t>The application may need to verify that the credentials are not revok ed, see <xref target="impl-cons"/>. Some use cases may be served by short-lived credentials, for example, where the validity of the credential is on par with th e interval between revocation checks. But, in general, credential lifetime and r evocation checking are complementary measures to control credential status. Revo cation information may be transported as External Authentication Data (EAD), see <xref target="ead-appendix"/>.</t> <t>The application may need to verify that the credentials are not revok ed; see <xref target="impl-cons"/>. Some use cases may be served by short-lived credentials, for example, where the validity of the credential is on par with th e interval between revocation checks. But, in general, credential lifetime and r evocation checking are complementary measures to control credential status. Revo cation information may be transported as External Authorization Data (EAD); see <xref target="ead-appendix"/>.</t>
</section> </section>
<section anchor="tofu"> <section anchor="tofu">
<name>Unauthenticated Operation</name> <name>Unauthenticated Operation</name>
<t>EDHOC might be used without authentication by allowing the Initiator or Responder to communicate with any identity except its own. Note that EDHOC wi thout mutual authentication is vulnerable to active on-path attacks and therefor e unsafe for general use. However, it is possible to later establish a trust rel ationship with an unknown or not-yet-trusted endpoint. Some examples:</t> <t>EDHOC might be used without authentication by allowing the Initiator or Responder to communicate with any identity except its own. Note that EDHOC wi thout mutual authentication is vulnerable to active on-path attacks and therefor e unsafe for general use. However, it is possible to later establish a trust rel ationship with an unknown or not-yet-trusted endpoint. Some examples are listed below:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The EDHOC authentication credential can be verified out-of-band at a later stage.</li> <li>The EDHOC authentication credential can be verified out-of-band at a later stage.</li>
<li>The EDHOC session key can be bound to an identity out-of-band at a later stage.</li> <li>The EDHOC session key can be bound to an identity out-of-band at a later stage.</li>
<li>Trust on first use (TOFU) can be used to verify that several EDHOC connections are made to the same identity. TOFU combined with proximity is a co mmon IoT deployment model which provides good security if done correctly. Note t hat secure proximity based on short range wireless technology requires very low signal strength or very low latency.</li> <li>Trust on first use (TOFU) can be used to verify that several EDHOC connections are made to the same identity. TOFU combined with proximity is a co mmon IoT deployment model that provides good security if done correctly. Note th at secure proximity based on short range wireless technology requires very low s ignal strength or very low latency.</li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="ead-appendix"> <section anchor="ead-appendix">
<name>Use of External Authorization Data</name> <name>Use of External Authorization Data</name>
<t>In order to reduce the number of messages and round trips, or to simpli fy processing, external security applications may be integrated into EDHOC by tr ansporting related external authorization data (EAD) in the messages.</t> <t>In order to reduce the number of messages and round trips, or to simpli fy processing, external security applications may be integrated into EDHOC by tr ansporting related external authorization data (EAD) in the messages.</t>
<t>The EAD format is specified in <xref target="AD"/>, this section contai ns examples and further details of how EAD may be used with an appropriate accom panying specification.</t> <t>The EAD format is specified in <xref target="AD"/>. This section contai ns examples and further details of how EAD may be used with an appropriate accom panying specification.</t>
<ul spacing="normal"> <ul spacing="normal">
<li>One example is third party assisted authorization, requested with EA <li>One example is third-party-assisted authorization, requested with EA
D_1, and an authorization artifact (“voucher”, cf. <xref target="RFC8366"/>) ret D_1, and an authorization artifact ("voucher", cf. <xref target="RFC8366"/>) ret
urned in EAD_2, see <xref target="I-D.selander-lake-authz"/>.</li> urned in EAD_2; see <xref target="I-D.ietf-lake-authz"/>.</li>
<li>Another example is remote attestation, requested in EAD_2, and an En <li>Another example is remote attestation, requested in EAD_2, and an En
tity Attestation Token (EAT, <xref target="I-D.ietf-rats-eat"/>) returned in EAD tity Attestation Token (EAT) <xref target="I-D.ietf-rats-eat"/> returned in EAD_
_3.</li> 3.</li>
<li>A third example is certificate enrolment, where a Certificate Signin <li>A third example is certificate enrollment, where a Certificate Signi
g Request (CSR, <xref target="RFC2986"/>) is included EAD_3, and the issued publ ng Request (CSR) <xref target="RFC2986"/> is included in EAD_3, and the issued p
ic key certificate (X.509 <xref target="RFC5280"/>, C509 <xref target="I-D.ietf- ublic key certificate (X.509 <xref target="RFC5280"/> and C509 <xref target="I-D
cose-cbor-encoded-cert"/>) or a reference thereof is returned in EAD_4.</li> .ietf-cose-cbor-encoded-cert"/>) or a reference thereof is returned in EAD_4.</l
i>
</ul> </ul>
<t>External authorization data should be considered unprotected by EDHOC, <t>External authorization data should be considered unprotected by EDHOC,
and the protection of EAD is the responsibility of the security application (thi and the protection of EAD is the responsibility of the security application (thi
rd party authorization, remote attestation, certificate enrolment, etc.). The se rd-party authorization, remote attestation, certificate enrollment, etc.). The s
curity properties of the EAD fields (after EDHOC processing) are discussed in <x ecurity properties of the EAD fields (after EDHOC processing) are discussed in <
ref target="sec-prop"/>.</t> xref target="sec-prop"/>.</t>
<t>The content of the EAD field may be used in the EDHOC processing of the <t>The content of the EAD field may be used in the EDHOC processing of the
message in which they are contained. For example, authentication related inform message in which they are contained. For example, authentication-related inform
ation like assertions and revocation information, transported in EAD fields may ation, like assertions and revocation information, transported in EAD fields may
provide input about trust anchors or validity of credentials relevant to the aut provide input about trust anchors or validity of credentials relevant to the au
hentication processing. The EAD fields (like ID_CRED fields) are therefore made thentication processing. The EAD fields (like ID_CRED fields) are therefore made
available to the application before the message is verified, see details of mess available to the application before the message is verified; see details of mes
age processing in <xref target="asym"/>. In the first example above, a voucher i sage processing in <xref target="asym"/>. In the first example above, a voucher
n EAD_2 made available to the application can enable the Initiator to verify the in EAD_2 made available to the application can enable the Initiator to verify th
identity or public key of the Responder before verifying the signature. An appl e identity or the public key of the Responder before verifying the signature. An
ication allowing EAD fields containing authentication information thus may need application allowing EAD fields containing authentication information thus may
to handle authentication related verifications associated with EAD processing.</ need to handle authentication-related verifications associated with EAD processi
t> ng.</t>
<t>Conversely, the security application may need to wait for EDHOC message verification to complete. In the third example above, the validation of a CSR c arried in EAD_3 is not started by the Responder before EDHOC has successfully ve rified message_3 and proven the possession of the private key of the Initiator.< /t> <t>Conversely, the security application may need to wait for EDHOC message verification to complete. In the third example above, the validation of a CSR c arried in EAD_3 is not started by the Responder before EDHOC has successfully ve rified message_3 and proven the possession of the private key of the Initiator.< /t>
<t>The security application may reuse EDHOC protocol fields which therefor <t>The security application may reuse EDHOC protocol fields that therefore
e need to be available to the application. For example, the security application need to be available to the application. For example, the security application
may use the same crypto algorithms as in the EDHOC session and therefore needs may use the same crypto algorithms as in the EDHOC session and therefore needs a
access to the selected cipher suite (or the whole SUITES_I). The application may ccess to the selected cipher suite (or the whole SUITES_I). The application may
use the ephemeral public keys G_X and G_Y, as ephemeral keys or as nonces, see use the ephemeral public keys G_X and G_Y as ephemeral keys or as nonces; see <x
<xref target="I-D.selander-lake-authz"/>.</t> ref target="I-D.ietf-lake-authz"/>.</t>
<t>The processing of the EAD item (ead_label, ? ead_value) by the security <t>The processing of the EAD item (ead_label, ? ead_value) by the security
application needs to be described in the specification where the ead_label is r application needs to be described in the specification where the ead_label is r
egistered, see <xref target="iana-ead"/>, including the optional ead_value for e egistered (see <xref target="iana-ead"/>), including the optional ead_value for
ach message and actions in case of errors. An application may support multiple s each message and actions in case of errors. An application may support multiple
ecurity applications that make use of EAD, which may result in multiple EAD item security applications that make use of EAD, which may result in multiple EAD ite
s in one EAD field, see <xref target="AD"/>. Any dependencies on security applic ms in one EAD field; see <xref target="AD"/>. Any dependencies on security appli
ations with previously registered EAD items needs to be documented, and the proc cations with previously registered EAD items need to be documented, and the proc
essing needs to consider their simultaneous use.</t> essing needs to consider their simultaneous use.</t>
<t>Since data carried in EAD may not be protected, or be processed by the <t>Since data carried in EAD may not be protected, or processed by the app
application before the EDHOC message is verified, special considerations need to lication before the EDHOC message is verified, special considerations need to be
be made such that it does not violate security and privacy requirements of the made such that it does not violate security and privacy requirements of the ser
service which uses this data, see <xref target="unprot-data"/>. The content in a vice that uses this data; see <xref target="unprot-data"/>. The content in an EA
n EAD item may impact the security properties provided by EDHOC. Security applic D item may impact the security properties provided by EDHOC. Security applicatio
ations making use of the EAD items must perform the necessary security analysis. ns making use of the EAD items must perform the necessary security analysis.</t>
</t>
</section> </section>
<section anchor="appl-temp"> <section anchor="appl-temp">
<name>Application Profile Example</name> <name>Application Profile Example</name>
<t>This appendix contains a rudimentary example of an application profile, <t>This appendix contains a rudimentary example of an application profile;
see <xref target="applicability"/>.</t> see <xref target="applicability"/>.</t>
<t>For use of EDHOC with application X the following assumptions are made: <t>For use of EDHOC with application X, the following assumptions are made
</t> :</t>
<ol spacing="normal" type="1"><li>Transfer in CoAP as specified in <xref t arget="coap"/> with requests expected by the CoAP server (= Responder) at /app1- edh, no Content-Format needed.</li> <ol spacing="normal" type="1"><li>Transfer in CoAP as specified in <xref t arget="coap"/> with requests expected by the CoAP server (= Responder) at /app1- edh, no Content-Format needed.</li>
<li>METHOD = 1 (I uses signature key, R uses static DH key.)</li> <li>METHOD = 1 (I uses signature key; R uses static DH key.)</li>
<li> <li>
<t>CRED_I is an IEEE 802.1AR IDevID encoded as a C509 certificate of t ype 0 <xref target="I-D.ietf-cose-cbor-encoded-cert"/>. <t>CRED_I is an IEEE 802.1AR Initial Device Identifier (IDevID) encode d as a C509 certificate of type 0 <xref target="I-D.ietf-cose-cbor-encoded-cert" />.
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>R acquires CRED_I out-of-band, indicated in EAD_1.</li> <li>R acquires CRED_I out-of-band, indicated in EAD_1.</li>
<li>ID_CRED_I = {4: h''} is a 'kid' with value the empty CBOR byte s tring.</li> <li>ID_CRED_I = {4: h''} is a 'kid' with the value of the empty CBOR byte string.</li>
</ul> </ul>
</li> </li>
<li> <li>
<t>CRED_R is a CCS of type OKP as specified in <xref target="auth-cred "/>. <t>CRED_R is a CCS of type OKP as specified in <xref target="auth-cred "/>.
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>The CBOR map has parameters 1 (kty), -1 (crv), and -2 (x-coordin ate).</li> <li>The CBOR map has parameters 1 (kty), -1 (crv), and -2 (x-coordin ate).</li>
<li>ID_CRED_R is {TBD2 : CCS}. Editor's note: TBD2 is the COSE hea der parameter value of 'kccs', see <xref target="cwt-header-param"/></li> <li>ID_CRED_R is {14 : CCS}.</li>
</ul> </ul>
</li> </li>
<li>External authorization data is defined and processed as specified in <li>External authorization data is defined and processed as specified in
<xref target="I-D.selander-lake-authz"/>.</li> <xref target="I-D.ietf-lake-authz"/>.</li>
<li>EUI-64 is used as the identity of the endpoint (see example in <xref <li>EUI-64 is used as the identity of the endpoint (see an example in <x
target="auth-cred"/>).</li> ref target="auth-cred"/>).</li>
<li>No use of message_4: the application sends protected messages from R <li>No use of message_4. The application sends protected messages from R
to I.</li> to I.</li>
</ol> </ol>
</section> </section>
<section anchor="large-plaintext_2"> <section anchor="large-plaintext_2">
<name>Long PLAINTEXT_2</name> <name>Long PLAINTEXT_2</name>
<t>By the definition of encryption of PLAINTEXT_2 with KEYSTREAM_2, it is limited to lengths of PLAINTEXT_2 not exceeding the output of EDHOC_KDF, see <xr ef target="expand"/>. If the EDHOC hash algorithm is SHA-2 then HKDF-Expand is u sed, which limits the length of the EDHOC_KDF output to 255 <contact fullname="⋅ "/> hash_length, where hash_length is the length of the output of the EDHOC hash algorithm given by the cipher suite. For example, with SHA-256 as EDHOC hash al gorithm, the length of the hash output is 32 bytes and the maximum length of PLA INTEXT_2 is 255 <contact fullname="⋅"/> 32 = 8160 bytes.</t> <t>By the definition of encryption of PLAINTEXT_2 with KEYSTREAM_2, it is limited to lengths of PLAINTEXT_2 not exceeding the output of EDHOC_KDF; see <xr ef target="expand"/>. If the EDHOC hash algorithm is SHA-2, then HKDF-Expand is used, which limits the length of the EDHOC_KDF output to 255 ⋅ hash_length, wher e hash_length is the length of the output of the EDHOC hash algorithm given by t he cipher suite. For example, with SHA-256 as the EDHOC hash algorithm, the leng th of the hash output is 32 bytes and the maximum length of PLAINTEXT_2 is 255 ⋅ 32 = 8160 bytes.</t>
<t>While PLAINTEXT_2 is expected to be much shorter than 8 kB for the inte nded use cases, it seems nevertheless prudent to specify a solution for the even t that this should turn out to be a limitation.</t> <t>While PLAINTEXT_2 is expected to be much shorter than 8 kB for the inte nded use cases, it seems nevertheless prudent to specify a solution for the even t that this should turn out to be a limitation.</t>
<t>A potential work-around is to use a cipher suite with a different hash function. In particular, the use of KMAC removes all practical limitations in th is respect.</t> <t>A potential work-around is to use a cipher suite with a different hash function. In particular, the use of KMAC removes all practical limitations in th is respect.</t>
<t>This section specifies a solution which works with any hash function, b <t>This section specifies a solution that works with any hash function by
y making use of multiple invocations of HKDF-Expand and negative values of info_ making use of multiple invocations of HKDF-Expand and negative values of info_la
label.</t> bel.</t>
<t>Consider the PLAINTEXT_2 partitioned in parts P(i) of length equal to M <t>Consider the PLAINTEXT_2 partitioned in parts P(i) of length equal to M
= 255 <contact fullname="⋅"/> hash_length, except possibly the last part P(last = 255 hash_length, except possibly the last part P(last), which has 0 &lt; le
) which has 0 &lt; length <contact fullname="≤"/> M.</t> ngth ≤ M.</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_2 = P(0) | P(1) | ... | P(last) PLAINTEXT_2 = P(0) | P(1) | ... | P(last)
]]></artwork> ]]></artwork>
<t>where | indicates concatenation.</t> <t>where "|" indicates concatenation.</t>
<t>The object is to define a matching KEYSTREAM_2 of the same length and p erform the encryption in the same way as defined in <xref target="asym-msg2-proc "/>:</t> <t>The object is to define a matching KEYSTREAM_2 of the same length and p erform the encryption in the same way as defined in <xref target="asym-msg2-proc "/>:</t>
<artwork><![CDATA[ <artwork><![CDATA[
CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2 CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2
]]></artwork> ]]></artwork>
<t>Define the keystream as:</t> <t>Define the keystream as:</t>
<artwork><![CDATA[ <artwork><![CDATA[
KEYSTREAM_2 = OKM(0) | OKM(1) | ... | OKM(last) KEYSTREAM_2 = OKM(0) | OKM(1) | ... | OKM(last)
]]></artwork> ]]></artwork>
<t>where</t> <t>where:</t>
<artwork><![CDATA[ <artwork><![CDATA[
OKM(i) = EDHOC_KDF( PRK_2e, -i, TH_2, length(P(i)) ) OKM(i) = EDHOC_KDF( PRK_2e, -i, TH_2, length(P(i)) )
]]></artwork> ]]></artwork>
<t>Note that if length(PLAINTEXT_2) <contact fullname="≤"/> M then P(0) = <t>Note that if length(PLAINTEXT_2) ≤ M, then P(0) = PLAINTEXT_2 and the d
PLAINTEXT_2 and the definition of KEYSTREAM_2 = OKM(0) coincides with <xref targ efinition of KEYSTREAM_2 = OKM(0) coincides with <xref target="fig-edhoc-kdf"/>.
et="fig-edhoc-kdf"/>.</t> </t>
<t>This describes the processing of the Responder when sending message_2. <t>This describes the processing of the Responder when sending message_2.
The Initiator makes the same calculations when receiving message_2, but intercha The Initiator makes the same calculations when receiving message_2 but interchan
nging PLAINTEXT_2 and CIPHERTEXT_2.</t> ging PLAINTEXT_2 and CIPHERTEXT_2.</t>
<t>An application profile may specify if it supports or not the method des <t>An application profile may specify if it supports or does not support t
cribed in this appendix.</t> he method described in this appendix.</t>
</section> </section>
<section anchor="keyupdate"> <section anchor="keyupdate">
<name>EDHOC_KeyUpdate</name> <name>EDHOC_KeyUpdate</name>
<t>To provide forward secrecy in an even more efficient way than re-runnin g EDHOC, this section specifies the optional function EDHOC_KeyUpdate in terms o f EDHOC_KDF and PRK_out.</t> <t>To provide forward secrecy in an even more efficient way than re-runnin g EDHOC, this section specifies the optional function EDHOC_KeyUpdate in terms o f EDHOC_KDF and PRK_out.</t>
<t>When EDHOC_KeyUpdate is called, a new PRK_out is calculated as a "hash" of the old PRK_out using the EDHOC_Expand function as illustrated by the follow ing pseudocode. The change of PRK_out causes a change to PRK_exporter which enab les the derivation of new application keys superseding the old ones, using EDHOC _Exporter, see <xref target="exporter"/>.</t> <t>When EDHOC_KeyUpdate is called, a new PRK_out is calculated as the outp ut of the EDHOC_Expand function with the old PRK_out as input. The change of PRK _out causes a change to PRK_exporter, which enables the derivation of new applic ation keys superseding the old ones, using EDHOC_Exporter; see <xref target="exp orter"/>. The process is illustrated by the following pseudocode.</t>
<artwork><![CDATA[ <artwork><![CDATA[
EDHOC_KeyUpdate( context ): EDHOC_KeyUpdate( context ):
new PRK_out = EDHOC_KDF( old PRK_out, 11, context, hash_length ) new PRK_out = EDHOC_KDF( old PRK_out, 11, context, hash_length )
new PRK_exporter = EDHOC_KDF( new PRK_out, 10, h'', hash_length ) new PRK_exporter = EDHOC_KDF( new PRK_out, 10, h'', hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length denotes the output size in bytes of the EDHOC hash al <t>where hash_length denotes the output size in bytes of the EDHOC hash al
gorithm of the selected cipher suite.</t> gorithm of the selected cipher suite.</t>
<t>The EDHOC_KeyUpdate takes a context as input to enable binding of the u <t> The EDHOC_KeyUpdate takes a context as input to enable binding of
pdated PRK_out to some event that triggered the key update. The Initiator and th the updated PRK_out to some event that triggered the key update. The
e Responder need to agree on the context, which can, e.g., be a counter, a pseud Initiator and Responder need to agree on the context, which can,
orandom number, or a hash. To provide forward secrecy the old PRK_out and keys d e.g., be a counter, a pseudorandom number, or a hash. To provide
erived from it (old PRK_exporter and old application keys) must be deleted as so forward secrecy, the old PRK_out and keys derived from it (old
on as they are not needed. When to delete the old keys and how to verify that th PRK_exporter and old application keys) must be deleted as soon as
ey are not needed is up to the application.</t> they are not needed. When to delete the old keys and how to verify
that they are not needed is up to the application. Note that the
security properties depend on the type of context and the number
of KeyUpdate iterations.</t>
<t>An application using EDHOC_KeyUpdate needs to store PRK_out. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Ex porter since the last invocation of the EDHOC_KeyUpdate function.</t> <t>An application using EDHOC_KeyUpdate needs to store PRK_out. Compromise of PRK_out leads to compromise of all keying material derived with the EDHOC_Ex porter since the last invocation of the EDHOC_KeyUpdate function.</t>
<t>While this key update method provides forward secrecy it does not give <t>While this key update method provides forward secrecy, it does not give
as strong security properties as re-running EDHOC. EDHOC_KeyUpdate can be used t as strong security properties as re-running EDHOC. EDHOC_KeyUpdate can be used
o meet cryptographic limits and provide partial protection against key leakage, to meet cryptographic limits and provide partial protection against key leakage,
but it provides significantly weaker security properties than re-running EDHOC w but it provides significantly weaker security properties than re-running EDHOC
ith ephemeral Diffie-Hellman. Even with frequent use of EDHOC_KeyUpdate, comprom with ephemeral Diffie-Hellman. Even with frequent use of EDHOC_KeyUpdate, compro
ise of one session key compromises all future session keys, and an attacker ther mise of one session key compromises all future session keys, and an attacker the
efore only needs to perform static key exfiltration <xref target="RFC7624"/>, wh refore only needs to perform static key exfiltration <xref target="RFC7624"/>, w
ich is less complicated and has a lower risk profile than the dynamic case, see hich is less complicated and has a lower risk profile than the dynamic case; see
<xref target="sec-prop"/>.</t> <xref target="sec-prop"/>.</t>
<t>A similar method to do key update for OSCORE is KUDOS, see <xref target <t>A similar method to do a key update for OSCORE is KUDOS; see <xref targ
="I-D.ietf-core-oscore-key-update"/>.</t> et="I-D.ietf-core-oscore-key-update"/>.</t>
</section> </section>
<section anchor="example-protocol-state-machine"> <section anchor="example-protocol-state-machine">
<name>Example Protocol State Machine</name> <name>Example Protocol State Machine</name>
<t>This appendix describes an example protocol state machine for the Initi <t>This appendix describes an example protocol state machine for the Initi
ator and for the Responder. States are denoted in all capitals and parentheses d ator and Responder. States are denoted in all capitals, and parentheses denote a
enote actions taken only in some circumstances.</t> ctions taken only in some circumstances.</t>
<t>Note that this state machine is just an example, and that details of pr <t>Note that this state machine is just an example, and that details of pr
ocessing are omitted, for example:</t> ocessing are omitted. For example:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>When error messages are being sent (with one exception)</li> <li>when error messages are being sent (with one exception);</li>
<li>How credentials and EAD are processed by EDHOC and the application i <li>how credentials and EAD are processed by EDHOC and the application i
n the RCVD state</li> n the RCVD state; and</li>
<li>What verifications are made, which includes not only MACs and signat <li>what verifications are made, which includes not only MACs and signat
ures</li> ures.</li>
</ul> </ul>
<section anchor="initiator-state-machine"> <section anchor="initiator-state-machine">
<name>Initiator State Machine</name> <name>Initiator State Machine</name>
<t>The Initiator sends message_1, triggering the state machine to transi tion from START to WAIT_M2, and waits for message_2.</t> <t>The Initiator sends message_1, triggering the state machine to transi tion from START to WAIT_M2, and waits for message_2.</t>
<t>If the incoming message is an error message then the Initiator transi tions from WAIT_M2 to ABORTED. In case of error code 2 (Wrong Selected Cipher Su ite), the Initiator remembers the supported cipher suites for this particular Re sponder and transitions from ABORTED to START. The message_1 that the Initiator subsequently sends takes into account the cipher suites supported by the Respond er.</t> <t>If the incoming message is an error message, then the Initiator trans itions from WAIT_M2 to ABORTED. In case of error code 2 (Wrong Selected Cipher S uite), the Initiator remembers the supported cipher suites for this particular R esponder and transitions from ABORTED to START. The message_1 that the Initiator subsequently sends takes into account the cipher suites supported by the Respon der.</t>
<t>Upon receiving a non-error message, the Initiator transitions from WA IT_M2 to RCVD_M2 and processes the message. If a processing error occurs on mess age_2, then the Initiator transitions from RCVD_M2 to ABORTED. In case of succes sful processing of message_2, the Initiator transitions from RCVD_M2 to VRFD_M2. </t> <t>Upon receiving a non-error message, the Initiator transitions from WA IT_M2 to RCVD_M2 and processes the message. If a processing error occurs on mess age_2, then the Initiator transitions from RCVD_M2 to ABORTED. In case of succes sful processing of message_2, the Initiator transitions from RCVD_M2 to VRFD_M2. </t>
<t>The Initiator prepares and processes message_3 for sending. If any pr ocessing error is encountered, the Initiator transitions from VRFD_M2 to ABORTED . If message_3 is successfully sent, the Initiator transitions from VRFD_M2 to C OMPLETED.</t> <t>The Initiator prepares and processes message_3 for sending. If any pr ocessing error is encountered, the Initiator transitions from VRFD_M2 to ABORTED . If message_3 is successfully sent, the Initiator transitions from VRFD_M2 to C OMPLETED.</t>
<t>If the application profile includes message_4, then the Initiator wai ts for message_4. If the incoming message is an error message then the Initiator transitions from COMPLETED to ABORTED. Upon receiving a non-error message, the Initiator transitions from COMPLETED (="WAIT_M4") to RCVD_M4 and processes the m essage. If a processing error occurs on message_4, then the Initiator transition s from RCVD_M4 to ABORTED. In case of successful processing of message_4, the In itiator transitions from RCVD_M4 to PERSISTED (="VRFD_M4").</t> <t>If the application profile includes message_4, then the Initiator wai ts for message_4. If the incoming message is an error message, then the Initiato r transitions from COMPLETED to ABORTED. Upon receiving a non-error message, the Initiator transitions from COMPLETED (="WAIT_M4") to RCVD_M4 and processes the message. If a processing error occurs on message_4, then the Initiator transitio ns from RCVD_M4 to ABORTED. In case of successful processing of message_4, the I nitiator transitions from RCVD_M4 to PERSISTED (="VRFD_M4").</t>
<t>If the application profile does not include message_4, then the Initi ator waits for an incoming application message. If the decryption and verificati on of the application message is successful, then the Initiator transitions from COMPLETED to PERSISTED.</t> <t>If the application profile does not include message_4, then the Initi ator waits for an incoming application message. If the decryption and verificati on of the application message is successful, then the Initiator transitions from COMPLETED to PERSISTED.</t>
<figure>
<name>Initiator State Machine</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="528" width="536" viewBox="0 0 536 528" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap=" round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="" width="" viewBox="0 0 536 528" class="diagram" text -anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round" >
<path d="M 40,32 L 40,48" fill="none" stroke="black"/> <path d="M 40,32 L 40,48" fill="none" stroke="black"/>
<path d="M 40,128 L 40,432" fill="none" stroke="black"/> <path d="M 40,128 L 40,432" fill="none" stroke="black"/>
<path d="M 232,48 L 232,96" fill="none" stroke="black"/> <path d="M 232,48 L 232,96" fill="none" stroke="black"/>
<path d="M 232,128 L 232,176" fill="none" stroke="black"/> <path d="M 232,128 L 232,176" fill="none" stroke="black"/>
<path d="M 232,208 L 232,256" fill="none" stroke="black"/> <path d="M 232,208 L 232,256" fill="none" stroke="black"/>
<path d="M 232,288 L 232,336" fill="none" stroke="black"/> <path d="M 232,288 L 232,336" fill="none" stroke="black"/>
<path d="M 232,368 L 232,416" fill="none" stroke="black"/> <path d="M 232,368 L 232,416" fill="none" stroke="black"/>
<path d="M 232,448 L 232,496" fill="none" stroke="black"/> <path d="M 232,448 L 232,496" fill="none" stroke="black"/>
<path d="M 424,352 L 424,512" fill="none" stroke="black"/> <path d="M 424,352 L 424,512" fill="none" stroke="black"/>
<path d="M 72,112 L 200,112" fill="none" stroke="black"/> <path d="M 72,112 L 200,112" fill="none" stroke="black"/>
skipping to change at line 3962 skipping to change at line 3105
| | (Receive message_4) | | | (Receive message_4) |
| | | | | |
| (Processing error) v | (Verify | (Processing error) v | (Verify
+------------------- (RCVD_M4) | application +------------------- (RCVD_M4) | application
| | message) | | message)
| (Verify message_4) | | (Verify message_4) |
| | | |
v | v |
PERSISTED <---------------+ PERSISTED <---------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure>
</section> </section>
<section anchor="responder-state-machine"> <section anchor="responder-state-machine">
<name>Responder State Machine</name> <name>Responder State Machine</name>
<t>Upon receiving message_1, the Responder transitions from START to RCV D_M1.</t> <t>Upon receiving message_1, the Responder transitions from START to RCV D_M1.</t>
<t>If a processing error occurs on message_1, the Responder transitions <t>If a processing error occurs on message_1, the Responder transitions
from RCVD_M1 to ABORTED. This includes sending error message with error code 2 ( from RCVD_M1 to ABORTED. This includes sending an error message with error code
Wrong Selected Cipher Suite) if the selected cipher suite in message_1 is not su 2 (Wrong Selected Cipher Suite) if the selected cipher suite in message_1 is not
pported. In case of successful processing of message_1, the Responder transition supported. In case of successful processing of message_1, the Responder transit
s from RCVD_M1 to VRFD_M1.</t> ions from RCVD_M1 to VRFD_M1.</t>
<t>The Responder prepares and processes message_2 for sending. If any pr <t>The Responder prepares and processes message_2 for sending. If any pr
ocessing error is encountered, the Responder transitions from VRFD_M1 to ABORTED ocessing error is encountered, the Responder transitions from VRFD_M1 to ABORTED
. If message_2 is successfully sent, the Initiator transitions from VRFD_M2 to W . If message_2 is successfully sent, the Initiator transitions from VRFD_M2 to W
AIT_M3, and waits for message_3.</t> AIT_M3 and waits for message_3.</t>
<t>If the incoming message is an error message then the Responder transi <t>If the incoming message is an error message, then the Responder trans
tions from WAIT_M3 to ABORTED.</t> itions from WAIT_M3 to ABORTED.</t>
<t>Upon receiving message_3, the Responder transitions from WAIT_M3 to R CVD_M3. If a processing error occurs on message_3, the Responder transitions fro m RCVD_M3 to ABORTED. In case of successful processing of message_3, the Respond er transitions from RCVD_M3 to COMPLETED (="VRFD_M3").</t> <t>Upon receiving message_3, the Responder transitions from WAIT_M3 to R CVD_M3. If a processing error occurs on message_3, the Responder transitions fro m RCVD_M3 to ABORTED. In case of successful processing of message_3, the Respond er transitions from RCVD_M3 to COMPLETED (="VRFD_M3").</t>
<t>If the application profile includes message_4, the Responder prepares and processes message_4 for sending. If any processing error is encountered, th e Responder transitions from COMPLETED to ABORTED.</t> <t>If the application profile includes message_4, the Responder prepares and processes message_4 for sending. If any processing error is encountered, th e Responder transitions from COMPLETED to ABORTED.</t>
<t>If message_4 is successfully sent, or if the application profile does not include message_4, the Responder transitions from COMPLETED to PERSISTED.</ t> <t>If message_4 is successfully sent, or if the application profile does not include message_4, the Responder transitions from COMPLETED to PERSISTED.</ t>
<figure>
<name>Responder State Machine</name>
<artset> <artset>
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="528" width="384" viewBox="0 0 384 528" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap=" round"> <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="" width="" viewBox="0 0 384 528" class="diagram" text -anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round" >
<path d="M 40,128 L 40,432" fill="none" stroke="black"/> <path d="M 40,128 L 40,432" fill="none" stroke="black"/>
<path d="M 232,48 L 232,96" fill="none" stroke="black"/> <path d="M 232,48 L 232,96" fill="none" stroke="black"/>
<path d="M 232,128 L 232,176" fill="none" stroke="black"/> <path d="M 232,128 L 232,176" fill="none" stroke="black"/>
<path d="M 232,208 L 232,256" fill="none" stroke="black"/> <path d="M 232,208 L 232,256" fill="none" stroke="black"/>
<path d="M 232,288 L 232,336" fill="none" stroke="black"/> <path d="M 232,288 L 232,336" fill="none" stroke="black"/>
<path d="M 232,368 L 232,416" fill="none" stroke="black"/> <path d="M 232,368 L 232,416" fill="none" stroke="black"/>
<path d="M 232,448 L 232,496" fill="none" stroke="black"/> <path d="M 232,448 L 232,496" fill="none" stroke="black"/>
<path d="M 72,112 L 200,112" fill="none" stroke="black"/> <path d="M 72,112 L 200,112" fill="none" stroke="black"/>
<path d="M 40,192 L 200,192" fill="none" stroke="black"/> <path d="M 40,192 L 200,192" fill="none" stroke="black"/>
<path d="M 40,272 L 200,272" fill="none" stroke="black"/> <path d="M 40,272 L 200,272" fill="none" stroke="black"/>
skipping to change at line 4065 skipping to change at line 3211
| | Verify message_3 | | Verify message_3
| | | |
| (Processing error) v | (Processing error) v
+------------------- COMPLETED +------------------- COMPLETED
| |
| (Send message_4) | (Send message_4)
| |
v v
PERSISTED PERSISTED
]]></artwork> ]]></artwork>
</artset> </artset>
</figure>
</section> </section>
</section> </section>
<section anchor="change-log">
<name>Change Log</name>
<t>RFC Editor: Please remove this appendix.</t>
<ul spacing="normal">
<li>
<t>From -21 to -22 </t>
<ul spacing="normal">
<li>Normative text on transport capabilities.</li>
</ul>
</li>
<li>
<t>From -20 to -21 </t>
<ul spacing="normal">
<li>Recommendation to use chain instead of bag</li>
<li>
<t>Improved text about
</t>
<ul spacing="normal">
<li>denial-of-service</li>
<li>deriving secret and non-secret randomness from the same KDF
instance</li>
<li>practical security against quantum computers</li>
</ul>
</li>
<li>
<t>Clarifications, including
</t>
<ul spacing="normal">
<li>several updates section 3.4. Transport</li>
<li>descriptions in COSE IANA registration</li>
<li>encoding in Figure 5, reading of Figure 17</li>
</ul>
</li>
<li>Removed term "dummy"</li>
<li>Harmonizing captions</li>
<li>Updated references</li>
<li>Acknowledgments</li>
</ul>
</li>
<li>
<t>From -19 to -20
</t>
<ul spacing="normal">
<li>C_R encrypted in message_2</li>
<li>C_R removed from TH_2</li>
<li>Error code for unknown referenced credential</li>
<li>Error code 0 (success) explicitly reserved</li>
<li>Message deduplication section moved from appendix to body</li>
<li>
<t>Terminology
</t>
<ul spacing="normal">
<li>discontinued -&gt; aborted</li>
<li>protocol run / exchange -&gt; session</li>
</ul>
</li>
<li>
<t>Clarifications, in particular
</t>
<ul spacing="normal">
<li>when to derive application keys</li>
<li>the role of the application for authentication</li>
</ul>
</li>
<li>Security considerations for kccs and kcwt</li>
<li>Updated references</li>
</ul>
</li>
<li>
<t>From -18 to -19
</t>
<ul spacing="normal">
<li>
<t>Clarifications:
</t>
<ul spacing="normal">
<li>Relation to SIGMA</li>
<li>Role of Static DH</li>
<li>Initiator and Responder roles</li>
<li>Transport properties</li>
<li>Construction of SUITES_I</li>
<li>Message correlation, new subsection 3.4.1, replacing former
appendix H</li>
<li>Role of description about long PLAINTEXT_2</li>
<li>ead_label and ead_value</li>
<li>Message processing (Section 5)</li>
<li>Padding</li>
<li>Cipher suite negotiation example</li>
</ul>
</li>
<li>
<t>Other updates:
</t>
<ul spacing="normal">
<li>Improved and stricter normative text in Appendix A</li>
<li>Naming and separate sections for the two message flows in Ap
pendix A: Forward/Reverse message flow,</li>
<li>Table index style captions</li>
<li>Aligning with COSE terminology: header map -&gt; header_map<
/li>
<li>Aligning terminology, use of "_" instead of "-"</li>
<li>Prefixing "EDHOC_" to functions</li>
<li>Updated list of security analysis papers</li>
<li>New appendix with example state machine</li>
<li>Acknowledgements</li>
<li>Language improvements by native English speakers</li>
<li>Updated IANA section with registration procedures</li>
<li>New and updated references</li>
<li>Removed appendix H</li>
</ul>
</li>
</ul>
</li>
<li>
<t>From -17 to -18 </t>
<ul spacing="normal">
<li>Padding realised as EAD with ead_label = 0, PAD fields removed</
li>
<li>Revised EAD syntax; ead is now EAD item; ead_value is now option
al</li>
<li>
<t>Clarifications of
</t>
<ul spacing="normal">
<li>Identifier representation</li>
<li>Authentication credentials</li>
<li>RPK</li>
<li>Encoding of ID_CRED with kid</li>
<li>Representation of public keys, y-coordinate of ephemeral key
s and validation</li>
<li>Processing after completed protocol</li>
<li>Making verifications available to the application</li>
<li>Relation between EDHOC and OSCORE identifiers</li>
</ul>
</li>
<li>Terminology alignment in particular session / protocol; disconti
nue / terminate</li>
<li>Updated CDDL</li>
<li>Additional unicode encodings</li>
<li>Large number of nits from WGLC</li>
</ul>
</li>
<li>
<t>From -16 to -17 </t>
<ul spacing="normal">
<li>EDHOC-KeyUpdate moved to appendix</li>
<li>Updated peer awareness properties based on SIGMA</li>
<li>Clarify use of random connection identifiers</li>
<li>Editorials related to appendix about messages with long PLAINTEX
T_2</li>
<li>Updated acknowledgments (have we forgotten someone else? please
send email)</li>
</ul>
</li>
<li>
<t>From -15 to -16 </t>
<ul spacing="normal">
<li>TH_2 used as salt in the derivation of PRK_2e</li>
<li>CRED_R/CRED_I included in TH_3/TH_4</li>
<li>Distinguish label used in info, exporter or elsewhere</li>
<li>
<t>New appendix for optional handling arbitrarily large message_2
</t>
<ul spacing="normal">
<li>info_label type changed to int to support this</li>
</ul>
</li>
<li>Updated security considerations</li>
<li>Implementation note about identifiers which are bstr/int</li>
<li>Clarifications, especifically about compact representation</li>
<li>Type bug fix in CDDL section</li>
</ul>
</li>
<li>
<t>From -14 to -15
</t>
<ul spacing="normal">
<li>
<t>Connection identifiers and key identifiers are now byte strings
</t>
<ul spacing="normal">
<li>
<t>Represented as CBOR bstr in the EDHOC message
</t>
<ul spacing="normal">
<li>Unless they happen to encode a one-byte CBOR int</li>
</ul>
</li>
<li>More examples</li>
</ul>
</li>
<li>
<t>EAD updates and details
</t>
<ul spacing="normal">
<li>Definition of EAD item</li>
<li>Definition of critical / non-critical EAD item</li>
</ul>
</li>
<li>New section in Appendix D: Unauthenticated Operation</li>
<li>
<t>Clarifications
</t>
<ul spacing="normal">
<li>Lengths used in EDHOC-KDF</li>
<li>
<t>Key derivation from PRK_out
</t>
<ul spacing="normal">
<li>EDHOC-KeyUpdate and EDHOC-Exporter</li>
</ul>
</li>
<li>Padding</li>
</ul>
</li>
<li>
<t>Security considerations
</t>
<ul spacing="normal">
<li>When a change in a message is detected</li>
<li>Confidentiality in case of active attacks</li>
<li>Connection identifiers should be unpredictable</li>
<li>Maximum length of message_2</li>
</ul>
</li>
<li>Minor bugs</li>
</ul>
</li>
<li>
<t>From -13 to -14
</t>
<ul spacing="normal">
<li>Merge of section 1.1 and 1.2</li>
<li>Connection and key identifiers restricted to be byte strings</li
>
<li>Representation of byte strings as one-byte CBOR ints (-24..23)</
li>
<li>Simplified mapping between EDHOC and OSCORE identifiers</li>
<li>
<t>Rewrite of 3.5
</t>
<ul spacing="normal">
<li>Clarification of authentication related operations performed
by EDHOC</li>
<li>Authentication related verifications, including old section
3.5.1, moved to new appendix D</li>
</ul>
</li>
<li>
<t>Rewrite of 3.8
</t>
<ul spacing="normal">
<li>Move content about use of EAD to new appendix E</li>
<li>ead_value changed to bstr</li>
</ul>
</li>
<li>
<t>EDHOC-KDF updated
</t>
<ul spacing="normal">
<li>transcript_hash argument removed</li>
<li>TH included in context argument</li>
<li>label argument is now type uint, all labels replaced</li>
</ul>
</li>
<li>
<t>Key schedule updated
</t>
<ul spacing="normal">
<li>New salts derived to avoid reuse of same key with expand and
extract</li>
<li>PRK_4x3m renamed PRK_4e3m</li>
<li>K_4 and IV_4 derived from PRK_4e3m</li>
<li>New PRK: PRK_out derived from PRK_4e3m and TH_4</li>
<li>Clarified main output of EDHOC is the shared secret PRK_out<
/li>
<li>Exporter defined by EDHOC-KDF and new PRK PRK_exporter deriv
ed from PRK_out</li>
<li>Key update defined by Expand instead of Extract</li>
</ul>
</li>
<li>All applications of EDHOC-KDF in one place</li>
<li>
<t>Update of processing
</t>
<ul spacing="normal">
<li>EAD and ID_CRED passed to application when available</li>
<li>identity verification and credential retrieval omitted in pr
otocol description</li>
<li>Transcript hash defined by plaintext messages instead of cip
hertext</li>
<li>Changed order of input to TH_2</li>
<li>Removed general G_X checking against selfie-attacks</li>
</ul>
</li>
<li>Support for padding of plaintext</li>
<li>Updated compliance requirements</li>
<li>
<t>Updated security considerations
</t>
<ul spacing="normal">
<li>Updated and more clear requirements on MAC length</li>
<li>Clarification of key confirmation</li>
<li>Forbid use of same key for signature and static DH</li>
</ul>
</li>
<li>Updated appendix on message deduplication</li>
<li>
<t>Clarifications of
</t>
<ul spacing="normal">
<li>connection identifiers</li>
<li>cipher suites, including negotiation</li>
<li>EAD</li>
<li>Error messages</li>
</ul>
</li>
<li>Updated media types</li>
<li>Applicability template renamed application profile</li>
<li>Editorials</li>
</ul>
</li>
<li>
<t>From -12 to -13
</t>
<ul spacing="normal">
<li>no changes</li>
</ul>
</li>
<li>
<t>From -12:
</t>
<ul spacing="normal">
<li>Shortened labels to derive OSCORE key and salt</li>
<li>ead_value changed to bstr</li>
<li>Removed general G_X checking against selfie-attacks</li>
<li>Updated and more clear requirements on MAC length</li>
<li>Clarifications from Kathleen, Stephen, Marco, Sean, Stefan,</li>
<li>Authentication Related Verifications moved to appendix</li>
<li>Updated MTI section and cipher suite</li>
<li>Updated security considerations</li>
</ul>
</li>
<li>
<t>From -11 to -12:
</t>
<ul spacing="normal">
<li>Clarified applicability to KEMs</li>
<li>Clarified use of COSE header parameters</li>
<li>Updates on MTI</li>
<li>Updated security considerations</li>
<li>New section on PQC</li>
<li>Removed duplicate definition of cipher suites</li>
<li>Explanations of use of COSE moved to Appendix C.3</li>
<li>Updated internal references</li>
</ul>
</li>
<li>
<t>From -10 to -11:
</t>
<ul spacing="normal">
<li>Restructured section on authentication parameters</li>
<li>Changed UCCS to CCS</li>
<li>Changed names and description of COSE header parameters for CWT/
CCS</li>
<li>Changed several of the KDF and Exporter labels</li>
<li>Removed edhoc_aead_id from info (already in transcript_hash)</li
>
<li>Added MTI section</li>
<li>EAD: changed CDDL names and added value type to registry</li>
<li>Updated Figures 1, 2, and 3</li>
<li>Some correction and clarifications</li>
<li>Added core.edhoc to CoRE Resource Type registry</li>
</ul>
</li>
<li>
<t>From -09 to -10:
</t>
<ul spacing="normal">
<li>SUITES_I simplified to only contain the selected and more prefer
red suites</li>
<li>Info is a CBOR sequence and context is a bstr</li>
<li>Added kid to UCCS example</li>
<li>Separate header parameters for CWT and UCCS</li>
<li>CWT Confirmation Method kid extended to bstr / int</li>
</ul>
</li>
<li>
<t>From -08 to -09:
</t>
<ul spacing="normal">
<li>G_Y and CIPHERTEXT_2 are now included in one CBOR bstr</li>
<li>MAC_2 and MAC_3 are now generated with EDHOC-KDF</li>
<li>Info field “context” is now general and explicit in EDHOC-KDF</l
i>
<li>Restructured Section 4, Key Derivation</li>
<li>Added EDHOC MAC length to cipher suite for use with static DH</l
i>
<li>More details on the use of CWT and UCCS</li>
<li>Restructured and clarified Section 3.5, Authentication Parameter
s</li>
<li>Replaced 'kid2' with extension of 'kid'</li>
<li>EAD encoding now supports multiple ead types in one message</li>
<li>Clarified EAD type</li>
<li>Updated message sizes</li>
<li>Replaced “perfect forward secrecy” with “forward secrecy”</li>
<li>Updated security considerations</li>
<li>Replaced prepended 'null' with 'true' in the CoAP transport of m
essage_1</li>
<li>Updated CDDL definitions</li>
<li>Expanded on the use of COSE</li>
</ul>
</li>
<li>
<t>From -07 to -08:
</t>
<ul spacing="normal">
<li>Prepended C_x moved from the EDHOC protocol itself to the transp
ort mapping</li>
<li>METHOD_CORR renamed to METHOD, corr removed</li>
<li>Removed bstr_identifier and use bstr / int instead; C_x can now
be int without any implied bstr semantics</li>
<li>Defined COSE header parameter 'kid2' with value type bstr / int
for use with ID_CRED_x</li>
<li>Updated message sizes</li>
<li>New cipher suites with AES-GCM and ChaCha20 / Poly1305</li>
<li>Changed from one- to two-byte identifier of CNSA compliant suite
</li>
<li>Separate sections on transport and connection id with further su
b-structure</li>
<li>Moved back key derivation for OSCORE from draft-ietf-core-oscore
-edhoc</li>
<li>OSCORE and CoAP specific processing moved to new appendix</li>
<li>Message 4 section moved to message processing section</li>
</ul>
</li>
<li>
<t>From -06 to -07:
</t>
<ul spacing="normal">
<li>Changed transcript hash definition for TH_2 and TH_3</li>
<li>Removed "EDHOC signature algorithm curve" from cipher suite</li>
<li>New IANA registry "EDHOC Exporter Label"</li>
<li>New application defined parameter "context" in EDHOC-Exporter</l
i>
<li>Changed normative language for failure from MUST to SHOULD send
error</li>
<li>Made error codes non-negative and 0 for success</li>
<li>Added detail on success error code</li>
<li>Aligned terminology "protocol instance" -&gt; "session"</li>
<li>New appendix on compact EC point representation</li>
<li>Added detail on use of ephemeral public keys</li>
<li>Moved key derivation for OSCORE to draft-ietf-core-oscore-edhoc<
/li>
<li>Additional security considerations</li>
<li>Renamed "Auxililary Data" as "External Authorization Data"</li>
<li>Added encrypted EAD_4 to message_4</li>
</ul>
</li>
<li>
<t>From -05 to -06:
</t>
<ul spacing="normal">
<li>New section 5.2 "Message Processing Outline"</li>
<li>Optional inital byte C_1 = null in message_1</li>
<li>New format of error messages, table of error codes, IANA registr
y</li>
<li>Change of recommendation transport of error in CoAP</li>
<li>Merge of content in 3.7 and appendix C into new section 3.7 "App
licability Statement"</li>
<li>Requiring use of deterministic CBOR</li>
<li>New section on message deduplication</li>
<li>New appendix containin all CDDL definitions</li>
<li>New appendix with change log</li>
<li>Removed section "Other Documents Referencing EDHOC"</li>
<li>Clarifications based on review comments</li>
</ul>
</li>
<li>
<t>From -04 to -05:
</t>
<ul spacing="normal">
<li>EDHOC-Rekey-FS -&gt; EDHOC-KeyUpdate</li>
<li>Clarification of cipher suite negotiation</li>
<li>Updated security considerations</li>
<li>Updated test vectors</li>
<li>Updated applicability statement template</li>
</ul>
</li>
<li>
<t>From -03 to -04:
</t>
<ul spacing="normal">
<li>Restructure of section 1</li>
<li>Added references to C509 Certificates</li>
<li>Change in CIPHERTEXT_2 -&gt; plaintext XOR KEYSTREAM_2 (test vec
tor not updated)</li>
<li>"K_2e", "IV_2e" -&gt; KEYSTREAM_2</li>
<li>Specified optional message 4</li>
<li>EDHOC-Exporter-FS -&gt; EDHOC-Rekey-FS</li>
<li>Less constrained devices SHOULD implement both suite 0 and 2</li
>
<li>Clarification of error message</li>
<li>Added exporter interface test vector</li>
</ul>
</li>
<li>
<t>From -02 to -03:
</t>
<ul spacing="normal">
<li>Rearrangements of section 3 and beginning of section 4</li>
<li>Key derivation new section 4</li>
<li>Cipher suites 4 and 5 added</li>
<li>EDHOC-EXPORTER-FS - generate a new PRK_4x3m from an old one</li>
<li>Change in CIPHERTEXT_2 -&gt; COSE_Encrypt0 without tag (no chang
e to test vector)</li>
<li>Clarification of error message</li>
<li>New appendix C applicability statement</li>
</ul>
</li>
<li>
<t>From -01 to -02:
</t>
<ul spacing="normal">
<li>New section 1.2 Use of EDHOC</li>
<li>Clarification of identities</li>
<li>New section 4.3 clarifying bstr_identifier</li>
<li>Updated security considerations</li>
<li>Updated text on cipher suite negotiation and key confirmation</l
i>
<li>Test vector for static DH</li>
</ul>
</li>
<li>
<t>From -00 to -01:
</t>
<ul spacing="normal">
<li>Removed PSK method</li>
<li>Removed references to certificate by value</li>
</ul>
</li>
</ul>
</section>
<section numbered="false" anchor="acknowledgments"> <section numbered="false" anchor="acknowledgments">
<name>Acknowledgments</name> <name>Acknowledgments</name>
<t>The authors want to thank <t>The authors want to thank
<contact fullname="Christian Amsüss"/>, <contact fullname="Christian Amsüss"/>,
<contact fullname="Alessandro Bruni"/>,
<contact fullname="Karthikeyan Bhargavan"/>, <contact fullname="Karthikeyan Bhargavan"/>,
<contact fullname="Carsten Bormann"/>, <contact fullname="Carsten Bormann"/>,
<contact fullname="Alessandro Bruni"/>,
<contact fullname="Timothy Claeys"/>, <contact fullname="Timothy Claeys"/>,
<contact fullname="Baptiste Cottier"/>, <contact fullname="Baptiste Cottier"/>,
<contact fullname="Roman Danyliw"/>, <contact fullname="Roman Danyliw"/>,
<contact fullname="Martin Disch"/>, <contact fullname="Martin Disch"/>,
<contact fullname="Martin Duke"/>, <contact fullname="Martin Duke"/>,
<contact fullname="Donald Eastlake"/>, <contact fullname="Donald Eastlake 3rd"/>,
<contact fullname="Lars Eggert"/>, <contact fullname="Lars Eggert"/>,
<contact fullname="Stephen Farrell"/>, <contact fullname="Stephen Farrell"/>,
<contact fullname="Loïc Ferreira"/>, <contact fullname="Loïc Ferreira"/>,
<contact fullname="Theis Grønbech Petersen"/>, <contact fullname="Theis Grønbech Petersen"/>,
<contact fullname="Felix Günther"/>, <contact fullname="Felix Günther"/>,
<contact fullname="Dan Harkins"/>, <contact fullname="Dan Harkins"/>,
<contact fullname="Klaus Hartke"/>, <contact fullname="Klaus Hartke"/>,
<contact fullname="Russ Housley"/>, <contact fullname="Russ Housley"/>,
<contact fullname="Stefan Hristozov"/>, <contact fullname="Stefan Hristozov"/>,
<contact fullname="Marc Ilunga"/>, <contact fullname="Marc Ilunga"/>,
skipping to change at line 4630 skipping to change at line 3275
<contact fullname="Rene Struik"/>, <contact fullname="Rene Struik"/>,
<contact fullname="Vaishnavi Sundararajan"/>, <contact fullname="Vaishnavi Sundararajan"/>,
<contact fullname="Erik Thormarker"/>, <contact fullname="Erik Thormarker"/>,
<contact fullname="Marco Tiloca"/>, <contact fullname="Marco Tiloca"/>,
<contact fullname="Sean Turner"/>, <contact fullname="Sean Turner"/>,
<contact fullname="Michel Veillette"/>, <contact fullname="Michel Veillette"/>,
<contact fullname="Mališa Vučinić"/>, <contact fullname="Mališa Vučinić"/>,
<contact fullname="Paul Wouters"/>, <contact fullname="Paul Wouters"/>,
and and
<contact fullname="Lei Yan"/> <contact fullname="Lei Yan"/>
for reviewing and commenting on intermediate versions of the draft. We are espec for reviewing and commenting on intermediate draft versions of this docume
ially indebted to the late <contact fullname="Jim Schaad"/> for his continuous r nt.</t>
eviewing and implementation of early versions of this and other drafts.</t> <t>We are especially indebted to the late <contact fullname="Jim Schaad"/>
for his continuous review and implementation of draft versions of this document
, as well as his work on other technologies such as COSE and OSCORE without whic
h EDHOC would not have been.</t>
<t>Work on this document has in part been supported by the H2020 project S IFIS-Home (grant agreement 952652).</t> <t>Work on this document has in part been supported by the H2020 project S IFIS-Home (grant agreement 952652).</t>
</section> </section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA9y9y3Yb2ZUoOOdXxJUGAtMARACkRMlOVzNJKkVLSskk7cxc
VbVUQSBAhgVEwBEBUrQye/WkR/0FPer+il53cEftP7lf0vt5zj7xAKl8uFzN
cilJIOI89tlnvx+DwWCrSqtF8jw6Xl0ly6SIF9FROp+nyeBlslgs4yx6e50U
0eHbs+Ood3z08u3h9tYsn2bxEt6ZFfG8GqRJNR8s4g/JIJld5dPBeLwVX1wU
yTUMii9sbaWr4nlUFeuyGu/sPNuB74skfh6dHR9u3eTFh8siX6+eR68PXh1H
38LfaXYZfY2fbU3j6nlUVrOtcn2xTMsyzbPqdgUznxyfv9ia5lmZZOW6pMGT
LfhgBu8+j9awoP2tVfo8ehhNYQvrMonioohvo146j+LFIrpNyu0oL6KruLyK
rpIi2YqiKp8+xy/g1zIvqiKZl+7v26X9E56cJavq6nk03tqK19VVXjzfGkQM
lK///v8UMOdZsoizWVLg2+uCvzKf5QWs87hIp2WZZ9HBV/CRA5p8im/CKpIK
ITUYPdmN9neiM5j7w1W+WMK303ydVcUtfH2TzBJ8PlnG6eJ5dJnDCoalzPa/
JDLgcJov3TL/kF9l0bsiWf/9/4rexFUlM6ZZWqXxArb6B7vy5oO/6gb+Aosb
LmWy9vW/gC1Ok3IaR+/iRb68gIUHCzYf/qpLnes6hiudMlzwVpYXsJX0Onm+
Ba+dvjgcj0bPnvOvk/FT9+ve3lh+3RuNnuiv+0/0gSdwdfTXZ0/8r26Ep2M3
wtOnu/v667M9fWB/NH7ifn26q79Onulr+7sjHXf/if11or8+HbvXnu6O/a9P
9ddnuzrbsx23HPhVR3g2erqnv05wF1tpNm9A6Nm+A8B432119GzXbXW873ft
f32mrz194hc6eeJ2PXnqft3ddb8+mzx1C93ZcQt1m4I1P3FrfkafngyOhkT4
irgqBwnQKfshUcMi+WvZ/LQqYkCX4PNpXiSDvKT/EAmtfVsmg+lFXgySDAhc
MhtMk6LqHOBDcjtYr2ZxlYRz36SXg+m6uMZ1rYoECGcFIAcKGjyW5lW+Kgdl
Ao+m1e1gVcAH03wBUyxXcZECUrvnC5x5XlwOZkk1KNPLcnCTVleDLE9LN7fS
IN47ksq/6Vdx8eFDPoiL6dUgzaqkyGCU6goYQzVYwjYXg8t1OsO7BUgBr5y9
G+zv7Az2nhzgAECD4+ISr+tVVa3K548fz/J0CBf98Whn+GRnvP/4m5Oz8+HZ
u6G8VEz4LWZ2pwnsZ5lkMwJBBPgHBCMtBt/C0qNXAMHjsoovFml5BQ9V0dkU
eWMZ/alE1nSUltMiqZLodX4JIKmultFhcbuq8ssiXl3d0jwlkICkRMzm1UbR
A1zQg+fRg7NVMgUKG71bwwRTXoAsEtZ1nSKTiyYP6DXlLTzEQP6LVBoI9PEw
+gqASOyk5evXw+jwiihVy5cHw+g0v4RfP9x2PvDnGBjuIrluf+B0GB3FsFr6
lNAtOlgV6SIa74z2zYGNdvY//8DgpWJ0x4HBMUVHAOZr/ojP5l2ZrGfI/Wb5
MnqxzqaE4j/1SGAZ/khG9zgSC3OByfoSxB4ACkhFBBQad3/vJ8Bkf89C5Ozl
wWDCAEhmfqvRFL54ddyPXr05OOxH5+vVInmJQg6ABHAc5LtFssAPfjJM9vfu
AQiSLl4lizLpwK+zq/XgL0kG4Iqzyw4MA3ntXVIsMsFwBuhRMk2WFyCSAp49
QZAeJZfxBWxjkYxG7VAFegcUZpjG04KgC2+OHj8ZBeB8m0XVVQLrTvG+C/mL
8nl0nE3xcuP2EYRn6WUWV+sigTVGx2/+fA9QDKN3Q7PKzvv2OrkCebvjwr4a
Rl/DQACCgsWVlme+oZnOlnFRtT/wBr5FuXbRCdERQhRR4N0fD9uBOS2L6TBL
y2p4mV8/flfkf0mmVfl4lZfV4K/rOKvWy8HUkMPH8/ivpYX0O3zyj/xkQDij
Fwd/LFuvzoSuzvHh1+1Lurm5AUYzvaTDhV9Gg+vxcDWbB9elgtOLi1lJtOMY
NJxpiqQ9WMAo6sEs0WjbrOINYCFqLbSEk6/fdLAfXINDMN7/7OIxcje4n4Bx
O5PHh6ffvzt/+3i0+2yP/mksEUePBtE54OEj+CMbwJIHbw6mj4CyAiOOp1eg
eQBYAFGzCu8kXPyasoYoelIhpyIERZQ+eXU8eCdsvLwbXV8Oo1dFfDP92+0H
A4U/rLMEwUAn8fLV0YtVvEqKe1+3ncfjJ7v1/T4wsE+n0fFHFI3cRQvJ+3OC
Ck4szPgeNKh9J3yeox3cyPkVCp7IQsf3Jh3j0eO9nWeNvbxFLRM5EIK8BBUk
AkEsWoFQwQg3G+/tjZ7RzuCYvuO/LuISjvDV8Zv7cXu/3BamO6are/jNWQeC
JtnwJv2QrpJZGtNW8K/Hh8hVCyT0778hQMMvSv3eHyxAkUT55v3ZOq0Su1//
XqTvearp3ov8exv3Botuu/dAoeHjr9eA7aCinyzW2WU8Ht/7oMaPR0939kKM
i4H6rRcRCqoR3KwBXqUB3jWYFje1Wle6nQP457ZMS2QCeKhky4hep5dX1U2C
/9ZuIiLs8ccp8rMk0gt3j4N9AZT97/+DtthJtXnv7TSbBYs/xCQgjSft4LmK
F8M0K+Do5wX+MdiZ7I/gFowfW/gcRCjmFwnsqgSy1Y9IMVsw1q6rfEkbjVsB
o5rC3Rs+HOpqOzH91SJJO5jcGd5qtFR1AusUBl9Pr/LKwOvttMotuA7zqkqT
4h2ye6An1/GiC7Hi4mN6TSgVX5SPx2O4+zuTvWfPAsrtMP9nguaroa6s/fsj
4PB+yWZ/Z8mqChHim7yAs8vGO/fa1s7O0+FotDt+arf1gk/fboo3RKgeaEhI
4w5B/AQSnmaAIyf5OeDodTpN7sFyQLaR1bZ//2cQW9bIveH//tL1EAhQXxVr
sve0AoUIPj0x6lBISIxAMnKZFHBk84TsjXBxZglQz8d8FwbXwJPmIhAP8vkg
UbvpYMas+IpZ8SCHJ1l5J53+8ejJeH93srvfAuE/mzEJyve3xd4J3AAujW/P
AbTx1SL6w9//OwADzamdz31d/P2/ZxcJCCHvEpRCux6F6w0s+u//o3DCLJ/G
NwAQFTNJQTy8yIs3SYeUCd8Nl0lAnQ6/ensavVvEt2gvzmb3IjRf5fVlCP/f
5zsipormAsiKoReX7gl9Mryqlgu7KBRLaBhH8tEyuUzQrt03+vzu3csFGIO6
U6R2tX9YL3S5g8EggrtKQtLW1vkVXMhZPl3T9StRWQNEKT8DdfpRHMFnt0Tz
YUyi8gvD3uJNgiZKN4lyO2Kn7iLgd+XQ077rdAYLW66rNbISPyjAhTjMDYjl
oIlOi2R626dVwAvwCNBTPICEZEIdD3aN1qJsBktCorMu40sSdaeG+pTTJIuL
NC+Zc0VL+JicANMY5eISxehE6RfKY2/PDt+eHkdq9sLBquRjBfhzGxUJC3YE
O5zSajd9xkr8mKxz8CBv4TA/eEcfw5qycpUXVZ84QjybpSJgoDEvKtO/JeSj
uECJcVXxkSzymyGf+DKdzUBn3HoYnWRVkc/WBA34+2H0Jq9EOt7aehNnt/gE
mdGQhAB+ZJdl1ANCvB3NktUiv0VMKWE7f12noL4CXK+yfJFfItbcgAAOgICP
r+DoAeVAuCd6B7hVg22SXadFnvFgnz6JLfbHH4dE82dM8wHit7gj+yKMc42H
sobp4tuyDx9MF2uEWLRMlnkBsCyrvIDj7OO5T5H8wnfTGJATzoTBuspvkmJI
tw7GzhA3rvHACNJXCZxumQD/xK3jEuJFCSf98Sq9SCu/GFh4ucb9ltE6K5JF
CoiQMPrnZQmnD1idJQtYokCjAGQp0ilegwt47CadVVe8ntltFi9BeanyFcLy
lpeG3il0LUXx9EOW3yyS2SW8WuGVhZ3BZMvo4hZ2yypp+jfcZxwVdJfg7Owl
VBLEqAxoDW8XcPOTMr3M5A6QlpefW4jiR5YfgwLprDiOUPUQSft6iHvjH38E
ogBvTZGcfZXCFbqN3l6gfg+EzNqM4U3AenkTLf70JplH8IEpDoL3J3qZxDMk
OyRVEjsFDfvw5aG++nS8C68OkZwlUZbIfkoxPfm9M3UmdKgJGRa1YUYgDCWf
OlxxUsX0Ss9yogKfPjWN9IS8S7yjiO9w+khigSWXsJVyI/7jjcFZsjVxNjg7
Yk1w6dMVn5juAXC8JFKFFx4wi29cOudLD/ediADSnSK9WFcJrv8yz2f+Jk4T
RBrCADphpSsRChqAPuUSHZtmJfEszdE9tcT5igRIB763AGqeTQEea5oDvr9c
unMF4M/WSP9upwt8K6mmQ5D/clROotSDCCAK8IEXAKMdGdNNyd2HndO9A0UC
rtACT5DJZwKDAFDtyclimHrQlb9IF/AqUBJ4A0gaslOAUgw3bo0SWjRPi+UN
gp99HSBz5MukgRGECYRXMHq5XhG8YqJDCZv31uidWNyGELW0EYgR8KAMnaKw
jeQ6yZjdAcDhpYWnQ8CjtrZoFQ7nynyxZqssoTXSHEeeko+AX7DAAq4IkA1i
I3LZ0MZIJAHwx5gfe8iB5Oagbw1ujmH8F3EJFy/29xzw+xZOzS8mKZg2J2r8
wv2wSwmRHFfgDzv5GC9XC2KWuiodqC7rnx6fnaNSfWxvRo9Zql70J6MJLlew
Hg4mIHKoDIKIKvTJrZjuMxENOD1iqMKJEVbEZAEgcHURb5HMBFydLs9fQeQg
fh5YmlA+4RPRmTylUcZA3B7n0H3gNQc0BIjNVjnxEMRzkKxRfri/qKQzgeRT
5EsBSAkkJxEZqMLniSmirRfJoEgHMzb1oy6ES2wfFobK14sZIz68ZKD8W4QP
kOFrFBgv4pCyIJFD2QjpRrJKaBsgMAEFGF4O+7X7WSQXeU7UGGA4R4EChywS
WXgAWUDvEnDlt/gojBBf5+lMaBBiLcwbu/stbmBCAbolfNOWKNuoYGHlR7wi
lTe4VekyGf5SknG3INwOd5ZzcUmEeBazAM4V71W5c0PobRF4mZ9O0xXexhLt
aACnSwB7zOLwQSBIK5KwRRH+LuKbaEWuG0b33um7VxTx4j8kSsx6Z8LMSmTD
kiVVIzIQ5pAgD7tYrSuc4Qp4FnxO+vAtvAFH4e8GMUYM+EGEpRORg9A7zrSY
ZyqSeVIgQiBGzeGyJjMmuIQf7m4TC0scI0W2dwXEsx8BvwxeYskPZeFYuA9A
BnXPmZA6nFSGKYdbrFjMctg3EL8IDq5g4qgMAy7NQK4ogq337gxAGSoySDJq
nxDuliwP1TDOHszFrds/oRPuEWg0Ui5cAjH1QHag7fLFIIaSIp0uaGWztGTx
QY3obYrUlmx4CeJPSVoRwBzF1MxjMws8rGsAB1SiyB6KT5/ovz/+yESRtd/v
votWcYUwh+/pI/yeOBjb9cmZcfxxhR8RT8DIFpS8eDWwjrJdxTIbsTYSe+A9
f7VwiPevElXMvk0uovP8Q4Lc89tzFG+/PY8OF3G6hN0Are0dHp7Bp98N93ae
ieKGrylbpM/hIfh3O7guAJMkgX3gmQ9wKSjG8vqdxsubiOLLlHiQl98Z6wXy
8zV5E2O1mfNN9LuLMODNSsAg47gzTGuagOgrgS7s9SEKrANFKBEBm1A8rUj7
wbdBCh2QgqUUWRQ8jJr58UfPGgGL1yDPsc7x5DwFiZ5h9zo/jb89+AaIE6vc
OUkOcAXZB6JLrog13ZvG4rvKhdNhAuzIkKP6Ncxwx6xp0CANKyWKiGoK8Oy+
usrhs4t1uiDaRsKG0YuAaFzni2uE36OKNOtHYvRQqgJKIOisKL7nC9TQEEGy
MsdfyAYxrdYxaLdlYFJwrCvU+NIlSc0lLkwsE6JwsQSIq9v+TGsCXFNUKpBK
g8wBBx4IUcGkhQICKDkrUXUlBjblDhNJ5gUrPYDrQATgkkwJPZw8Deh6gGgM
h7RwrD1FqwPcyzxL1Fru2QepFR6H4dhIULCfCYoyePFtkVtlDBYyMwRKLn5Q
tY709NDjaJlfICxWV7CK7SEbTQZVPqAzJkOTuCRL1rJaFsAAI3mrSBbJNepH
cLioreWIIG5PNySYIbbC6WTJHC4iiYC4tprGrxKDwMWZIQXqUxxJRTM4aRRC
CZax06BYJymdeQDUJdA2UELqiyTmJWWQ4OBfYkbeDoTHirJivECjxy3eVpRH
2UGUL9PSndoiR5glxZLtfmyaEoZ1hvh4zKpECURLfvOehJCz4cQgwAInIk19
nl4O6AtkJXxj0MaOvBKk5BRVfRioRgFoHw6vr9gAAVgJ1wyt1gSRkJs87+DS
NBLKsi7kAz8BuKesDmetLCZ63MpjlJI+I2oi8ytokVK5zwrZ6qMP6eyR1fb6
cg+YKQXCW31ACmu+jhfrRAf7uFfpYJMnO8h3D0q6URrW11fBSPUAEBgb1lrv
07IHx8hH1x0OpxB1EkmokCI4ciSx8Mfo8VPFm6Pz12fRaDiBxcJJXoE0Iusb
7T4FGBF5PT48eslqmNeyo5Mj5b5n8skYx/ycGEbY/9bW/9r+E8VxeX2Jxtef
+OOs+sGPWMaOXqL3rHSfOtzCT1vfrA/f/mn7pIBC+isgQPunP2unggbvR3bW
ydM7f/Vvju2bu3vu1719/W20454ZYdCWvjmxb46e+dH9F0/9nM92ftZGz/MK
mFf4M9px2x6N3XLHoyfu193xz5m0A0G3Pj2PHjrayI6oLx/cRVvhSl7cAq0Y
PgAyS5xrEAPbyb58ME2Qzz34kSj3kSrOZyT/A2aycbbAcHe0len1dRo2OoaL
yziDWWbIVecgAOU35XO4nxfx9AM76+BC5+tqAYyzlNWFAh8rSzVC++kTMt3r
NLmB10HOnYJuI8Kzk0iA5bLBSbfdD/VsTCIQvZJEDGcEMDoYzoRh07A7FHOd
xQBfILXKhSHhk3F5uwweUzgbp4UXd+/cJnGYTv6DEwJJzYsGBOhTI5B9+jRb
O4U9eJoXosps4JNigdCpvkiJF17DNgOymPXp07JKYWwQG6qSeMciJfORGA7o
JKyo6VIfInIHpGKRXZfMI+LVCuQjtOsQ9zGy46dPyk6IVCNmnoOIkZJVlnWp
UzNn9Bo0hTWu+dNDFEV+ZKTFwwNMBznhwZs/nZ0/6PN/o2/e0u+nx3/808np
8RH+fvby4PVr98uWPHH28u2fXh/53/ybh2/fvDn+5ohfhk+j4KOtB28Ovn/A
QHvw9t35ydtvDl4/YA5rrVNkJiFtiGTNFYaV4yXa0tMjMH11+O7//b9HuwCU
/ybZI3AG/AemcSCzBBzj2fIMtDr+E7DkdgtBHLP4vEBT4gr0PfRswUVlSQuT
n4Zbv/sXvJvR4Mm//B6gfUpSE8tjyUdA9Iot6LDOebwEdRZGJFQmoyjAu1Qe
PQWlo4yC1ZOQZDxFopmfkdkQbR3iCtolEYektlJpj/Oh6MUKxCG20XrFWb+c
0JcghJEYGApjRgzzqoP6vI7iKo6OQDTPSKvyWNU7PDp67W3ZO+TvcsZsQmcU
qT+Sl4v3N8Ox/EaGkSXQXvmCcQnMos/OWPLF71FG+xYFKzIPkdMDzeCkB1ZN
i1q8QK8qP0wq9hHKu3BjyI1Fyv6xWDV4djcATyqyVBntDsfDES0OfyPRypwe
OzjF9QEkHY2BpMaEhC4xbovQK1kT16v4cpvUPQxMh8vCBk+kFg/6wkrcuWNa
lJADIWpvmafArTesRo0jnkJ7raE2O+gEV/msbHAHH9WzyZj/vE7KyfrQScvV
ECpCq+OHZAWwA4kVlxc3jF6sC1I4ZkkVpwtabJP90d2nxzq2WEeyqsnUDWVC
VxYZ+3o2EHmbtWqiAbcCtBxoFin23oci/jF2+XmHJHrdYo4aEAPiMHqdfiDn
w8mr4+uxWlyeobUJN9Q72lYlgVFwdxe+MlpC/95cNi29dSfWpei581a9a4b+
HpzoFXcWvRZzahRfAgjRk8eGLhA3ABNLNTogS7uVpMpKr4DX5w+QGy4QBgQA
Z1ZBQsHnis+/OTiUQFXYU+vaBydm0HNv3Y7m6FnuAcLKDQRUzFdiMZrniFj6
KJ1tQ/m+XMZ1XUn0oxPeE0gTn/9zmoD0QYmwP9z16Nfvv7vrkR+2fvPThWz9
+f0Pd6/lHj9ulK/ff99HgtsDdfX9IQgZ74Fsw/n1otPf4oH2Iv0Qdoj/fB9t
0//JKL/7+Vv6zS+7oyg6OD448vs5kf2c2P2c9HnneGx+P/9sZ9SuTAGuqzL1
WTeO+f/FrVO7kOBGO0PQqGDwTmXrXMgDMijhKBwLxRI9iWyZCu9i0kYiLpzS
37/eybYIxHKrot4piSeJRKf4R0uKj/FKe4/tKF7NIiOoNb53KExTCpVHI37o
u7a293enr94Dk5NAKfJeYyI9wKcIIxWYQqsUJbQ1eACFKaBCXxBe4XB4XzT4
Bo1E7esksxDDBiNgUCBghyCNxQjLYhjdRTdijYVaVxOa+IHgO1LOk7XZIDfO
7S4RZ+woiaAVKCDEqMfajlJt4LtWe0uCxQmC+vNWAdehRstS8BLDHR5G25rg
1jvlP2Fc1OQcJ0Uf0izxkv+K1OIGuPDsN24eySIgKJETiRtDCqITlkZ67HfL
lSxleAcI4ggPpsyvfozoDBg4t5xxuCGmqdxAZyexFizZkocCVO2crNMG20lq
RX0VVyZxSQF/39qysSlTzG3GK/Ngvl4sBnMOC3xgYjcweMjsqEXKKzhMDr3q
IvnMZuVzBOo5YgVoXauKrL8AxZ78F87CafQAo+3o/OV7EDXg3wn9u8sYh4aB
0NrBnqvSLik8DXctg8yZBQo8swRVezLUNwDqLm1IO3A2t5LOY4fdeHHeO/Fh
EQedsk10mZLvjoIe8gxjx1xcw0lUi0Vjupk5QoQKeY0UkahEDkXczikNw0to
BO+ATgg3NSkkEhlXwBFr0VxSdhntaiEhfDPRgh2EfZDj24SE0GNvmOGQn7gv
diGy5Lhg5BWeYHYpgy5UAZlbq7r3P4ACq2QRKFIQ06eGG8Y9S6M8ElexrOvc
RyjOKZarUAyCi/e3gLA3vdmoTvOhs/8fuOZlYURvxEuKf3DVIzgIY5UDA7pY
YECgYzVON5O8cHc44XbwcimesteEPn+PSYdMbGRKDKKiOOaOudU9gWIFl8T5
MJv7UAfY5pxVOiIpdsvoFi+7A/LtFKjCkeXFXG+JLfX2Em/i4IDKW46joXo4
HHnIcYgaVaceZhfBvkgvCgyWLL2qxkpZv05dU43lQU4Da+TphCOZC+SgoPgG
hKqLwZWNMBvD7fpqG2LdDH7J55iQgyASKcT5T7v4FIaL5RxCg0hMvkHVvch3
bwI1Qoe5wxokBevlEoD0N2u9gQfxOTKYJCU64qc4ojFOs5UojS+zHC00aIAV
TGqYg9oqiJBa9tAHcx8rj/j00IlzZDf9OslQLmKBM0xII3822XIJUgVg7RJj
0mGlt14Q7Tl5se+9Nv7XCbHwTtLr3t4VVg/PBrZrdGEDhick7jal2jiUa1m9
zWczvz7yGlNQ4210wkdGYbrw5ylmAMFiRBYhfyTKwDXr+ZBdHDla565iFFPp
2i1uDatpi+jT6E3y7Eu6A5wa8jR2ibpRKUag5Iuu5AFGRN/kCk/yYLEIvTb8
yiZLKQGH6EfdzifRS0MhQWgDQKfzYrHG4AUO9qv5iMhO4AS7rrMEAnSTwEpj
vuuUJcN6UYLJ6fIYH1FTeBGjEyyJAp6ohAKntCieG3cPuxvY1zJ08QTGoVMz
DBMSWHumc9TwSOJEwVCUOjP38erC7n1wTnxZJDX+b+TGHkqwfRK3tnV3JbHX
pBa5KXrWtMQgaEeSzaiImBiQp8SGkFgjNJLZfRi1zpGSFvcG87w1dgxdMZaD
G/cUIdBcE3Q+fVriewN8j4B1HqgTuMq7Fbl4ToEiKO06JuqphWK/CkZ4vO+6
JS2cElllMkdeeSE3nZ1FVMuEw1kuE7J9ctBAOOGw9sEusSqORoLLgn6vki2e
/zgj15vj85dvAXXO/nRyfnzGVpPv+nic/QhwKnSni9HiH2FAaXXnt6zllzUs
eVvZIRrEQoMZq57v8+I96IjIdxA+Y2NY+keYylqDFTbs6Of81EZpM7qFMJkw
TCYOJjzKPxJfJhuf+lXgUvthMCEcdgM4tIzyu0H0c//vvviye8eO2gyRxIo1
qKPJpENvWgenvsv2yDF6pDZ+esgGS7FIsnpbJUuhUUhqG/ZC5KyDZXk5GiBD
JmdoSkIFqWmJZPDNbzt8furYCgITOuLnnRfnjjCJuLR8jOQMgEiHM+x5tNOP
QJodsxQ1sQobP0IcsHQuWJYI4u4VtG2Tsz1ZjKeoPJViaqkbh2iX6sFN3laz
qthJUFJ2HkmZusVuwlKohpYjxMgrTCk5ki9cmmNkLdFGaVBMhsovrTtkh2SH
Z5HYsyDAZ3pQGxJGw2DpsvdILhd5jHx44oMWczsrz6F044L0WahglbTDnRVS
y1ba2f4hUAK5SeeAMtEPUYvM8IPZTws9+zMFav5QxwusstH+4dZvvrQ/4V8b
Pwzo1g4MHwQg6mrbPgzeHHW+aaMc294cdzx095yTzjfb5vzp59lGky1RUNp8
0GLzn5NS6c1xd9HhWuoR4zgQspnYPR3lT5MF+wQy/ioMggO1qSTTylcgdFOW
B18vigORmHGOxDUaF2agezLN6V+XoEQmZMfOkhu94BzSfWgCcI0G8ukhKBzO
gEe8SUMa7mFo7JHEC1LftrMkMqE1zyNMmcSxdlEoGYB1HbYPa3UdNLznRZGg
lb6hYsOm5/EU6YLCtEClBovrBGEWZNRUE3/DKydc0ZmtiCEiJoRGU6Pb2HBF
DuNPXREKp8dJRVd1ynXBcJYb3Mnqua6rdbHKuRicaHwaJLZp4z5rHsWBuCzz
aepDKwLcU3tvx1EE1lXEvjQrRfPCcFSMkMJ0GlBY87IK8is045MWKzdjDljp
wVAa3Civ0NDcggTlWtOdKVOYfCyc+4M2k+V6GS2S7BJ2Zd9lPwvaFrAGAqHQ
coWBdbh9TTysRT2+zG+Sa/SwkdHGbg4ERgc34HyJc2TQB8tVFcAiuvqf/9v/
Cf9zfB2NOZQLhI4oerC383F3ZxuGpQA9iepCo8xN7jxVHOwbneciGeDbA3pb
C5XQvZRk/GC5nCCEoUHq6vRJcWRU5hN1dYRLN0wAQwmEE5nQhcTcAMiUM2M5
G6pHrFGeD0P/RDvRAWQzdg/yiWP6Fln82r2OUShlMGny5hN2i6dVKOxq7ozn
3VXOpeQxCMonbUqSlL2eWS2l3R2/WwMvyQ/tl3TauaSxr/bhtvJTl1T6NblF
oL+yk1Q7zzSKsgEx87TAX0fGEG/BKpl4V2oV9Way9tkoCjeKZxzDkAuFMgG/
DIm4MlFbDbrJjsRMaxkMGcFqpUwAy75C5D/jyxfyNo+f5CiIF6SBmUc4DxcJ
CRJOJQwBprdeMWt3U+FWladafW6Rkd01Yhqklzm4mTTsYLzbj4ZD4CnjQLGB
AQb6Wl0I3jrh0Z9H+Dr+Axo9jBENRiP+BT4CuWowYrmRRED+fLQnv4wnW8eZ
dmDgbI/JE/3uQH/BAcY4wA79o6PsvNDhnrYKYHbxKoC9bcIgmTk43Sf8pk71
AHGnOQgxqUY5xF2Axrwzr+5SUDkm4unJ8TWh0OL6a4S08uIwektmywZqkEfq
1pL2BlOBA3yRuzodFAKw8xHAm5b1ZdDHvZaFeJQbjEFioUxOfHx31PmC5VM4
7vaQ5t05ap0XPt4872gSztv5QjjvzpHMO9pvnXd3BF/cZ6DRvgw06Rpocr+B
JjrQwVeH7bDYHdNX9xkMH8SiSIDgJMWgS4TDc4sG7QpRB7mADw9K3HWMgxkk
qjUuSpYryJB0Hzzvcfq1/ikmA0pdQMHRUh4KJ/3LmmS6FbpkZkAMpxXFhgg9
d/6/ttU5nSgt7TWIGxfBBd6YbOMT9eEymNDS8ZwNOc67q6YpO5JJwQwB3UdG
PCVAsAAJTAcE7OWSCypxkkAZXSWLFZdJQcJOhU1uSA8kbYCjs8O0AI0w7qHs
VFEMXEGCOYx78O5kG4gKsoaSY4QDOHHZC3IzlhTNwGXEJEXAV5JogRhyxUA2
izhah77jhVDuqDDMP4n/u10BJDopqgsqg8p9mTzZ6jkgpGFucpc2iBLbeuH9
hC6TWxRJql1QYieAdEWluzUPVLNAJ8ORT1aggkN9I5EoGwYJCN2pmKcRCBQo
0NzWB5zUBiSpjX1R/btC7SJNNZINdIk6lI3OXKGqw4CKAwhw7caH0RmlmNeF
PA9MCtQP0CWtJK3+GvMrOF0/axuci4+o1GXGGPoMbmrUEn1BFYPbpt/5+OJF
1LNEUHYUWrThRiORffGiRSHYbiwX329bL042vGs9yNLut57x6GeuZjzSlDVH
ij899NYBUF+sio66sKpUjuphWk2AniJSmnJlVN4LNDyYPKGYpSByQFzjohde
mTyuDDPx3IancFlnQjhCnd5ZT8UHfzIPMhwpFYUFbK3yROJ93/tW+41YD0LL
qkKd1wU8kUNXb09oWMGnL9BLPLMxYveoOMHA4aQ0XAOFg3hLTFDDDwlYDuA+
eTeM/rSoUowOw7XXXfQYtoURMmgNuMrRpiIVkPysNfOSd9UQEMqwVBmXwlpn
3s7QkkiKBZv0VDjMwzMkWJBJOlRN0NWzNIVHXeUWDOlKM/8MNtoxiWy4ZWBe
MZCg4HVWrPJ4RXiQRZccUiRF0dz2JUeSs0hJItUdYV3Nvvk7yCzl4cPsVdHc
TBUnfJ0cYFJkBf+GXwHOEtzrPg1LGrJhM4arsLyAY4XvZ8kSNpgCGfvYiE8o
JeSXeDWbe318XclvZ8BsMdBMCupFWDjlkvditqhGR7NFYI4UDkjaV+3Ca1lW
vi6MaA6wXE8kFquu9eVoCA6FTkoMRXVV5OvLK384QVQwFVIp1xellG3zkZW2
snX98p8HB91YtYkQXibwFOu0QTJxkRDmI8Qvkmm8tgVEph/KKlkFeC/m0e7Y
UKnZuqlwEHsQbQWt0qZFqP2vWYNEFsZX1cdNedciVVOBO7leZiwhmFIlIiMw
pQL5/WNjEhOoJFqi3vHfspifMmXVGow+llq4AA3SLH0SlsSiPdxKJTY5OR98
RoWrMOk9nfkKrHoo7qDTWpJonSZimfR04UlIkMONqot4GEB+XaZiz2i4Irvd
dCR+8vmr7/TQXysWN/lGof3Zf6EBhXV6XErwPBU+vb/dn+1xYWnoLmcA0Eef
544KAVbGbLUkXlLIu3p0KBqdnLGwFGHooWwi9PkiuUyzTHUzUjGCBfSNQJnl
Pry3tidbo1G3hMDR6lwCD/GyeNCKVd3VGXTjLxO8dWm5dMKrRyNT9NKjdV9S
r4Elcfmc+3ptiILRexJsnEiIOJED76uQR4DMldVGD4qrFH2P2dVG2kQ26kY6
XVMWaIByeRXEATBvETKp9lAPq4uUFTFhphyPixTCq2hzMcAW+arArXbIvD2u
CXUNkhqXeHO5F0EQ8LYKs8FGSd7ztnCDpZu31P/Je/KTOcs06ahc4FCqGf0H
Nnr9D3SAzPeIatkcA3VC8smv4lssGFwK6/AFCVSUsZVCRJSjwnAd9m+fWBTC
g1aLM2LZO1hsirTPFlCkQBCJ26cLwOCaLlBjICki8VJeOXQh3RK4Kf49V/AO
XXwG/Sh+g4vEonJD26xBljhMkhSPyg5MoXSohcVxHxzShuq1CykXN7+o2HOn
ErURYKT4SF50gDegDFFarwdHPkDQVbCknYv8wLRrqj5SK5NGIJFaZ1R08SNe
SzpYlVIwe50LyhVolYpKCbG2wh67vWte/ne+kNinh5aHuqIDGs2kte5d/UWq
z4hodlWvVfeoEfvU47zCbZJnBLwBE/cFvyTFQ2qt6jKktm8pkVBaRqE2DVM4
zL0AcZ6YM0ntkt3jsjDCPJeLvFZuFdP3O9IZe7WLl87eu2KZXykLYZHHT9G/
KwezmbhZn8eW5dTQB0VPFw+sVN+jqdqIOsBUS/c51pSmgyCliYqIiBP/4IiE
KwUpFTm9Y3PIPG9yapFQD7cbY7rANAiOx48n8vE29xX5glhd5wzcQQPtC0L2
2xUAEwT/5uCQA1DKYfcEkvS5cXOuVooj8PVYVh/oImWF75HVw2k87EjpODi7
MZHw18Qxyimgvg0YI0Hi3plMJ1bevQNtA+kKmFk6sxqFimAyS2v4i1OEEIaB
HC/Dkeqs6E3WR3ZY1qV2ygGj+AURNDfd76hn4rHdPd8OpuHojOmUyvzlbXBA
9HB5D10gCvgOSRAYUdda4rGRfuZH8TlvzaLBBFu/NYkq4UIlKSfd5UF5aNJQ
htGLutjagbipZAiS0qn5CD5s9KWEisamh4CpUoICRGvtyPqwNEKMduX5QHRi
Uw7yMYzB3gHgo2wncuIHHb2LEgihIUuydTPJ7UCFKJ1cF1dMQSJYdda6LFiy
eA6asYuWbZbihW1BFXE00TX39crbkoPhjW3nf63Bc2PMcD0mpMV+f/A9CYQ+
B8wZhFry/TWQC4N0iM7XFxPWqdVHOpfXCRuXgBRQFMoZreiMHXWVSESd+O7U
pGEXZb//nEwVAjOMf5m9Va1bbsZOM5XjumJd83gI1yfxX7QOHJAaitrE8LOW
4SQH1H8jljY0xXr7Tds6OshdCE7NXArizDeUow18To/KsO7Ho3JDqqvGnGCF
BXIKtEZKeeK5obKFHehrEcS+ft+s9IBUs6VYbQdQmk7zODpbUwVx7kEN5OME
GBWTWqbJrsjb4ZkTlozot/05cz2aZvNHoJUB7XWJlliI1lT8iF15eVuIjuQA
lR9qjRek7wIHx7csJHRt6+A3BZbtm4mlg8hpGz09NGKjkFXaeCvpCDKnGxJ0
X7dZbj78n1Bi5Fu2K+IzLsWZJv3ouBF5rXlJeKi0ouHWac3/JS9xtY6Sy2v7
F2P2B+nLm2Vgn/5HGoDbO9NmUy2azWhWciNR0t98I1d1imR9tU8Z42hT5PIS
C0ibvQclo/6D7Xp1dNvGZZmWaluRwmO6CBkplURxjdgkyCEstdPCHY0VdDBV
20I9veVymxLTgGYtX7tcdmqNiX0eB3IJBviklG50nQeoXnazjmPZrKotJNQK
fsmspn2QC4V6iqB3PL68S2YXlNNQFjmGSA6Jt48YW9sn1wAnulD5wAdnKNQl
wAK6/Xiy1L44f2icoOR3xlvgwMyMfBUJM3vUbAWlAxmRjSGo7iZomQj7WUiU
BJKpGbNc9I9xxQixrpB8z7U8qCy+6IcGImbIX1K+CmhXXczKuFJ5m3TV3usG
axsSTMV4oFqpCWfa7BCzujh5Yi2B8P6SILAj1eqBWCrxhnk9UxEPIvifj8UF
FYNMiQtpuCXZn+EqVPVvA7YHdL2MK6VPOF+SVBFtxKRtOoN2h424PgJkVlWO
CA6XtHfktW8AYWvJbJy9b0qcxuLZ/gmb2AwxMVTTPbQm9G5K0TPmOZ/0oMbe
G6wuSxZctGAks21nIy2Sga6ZTO7UPAtDzCSkwnx/t30FL34+na4L0dZi37uO
or/RX6ODEVJRZBjZ4QITVElRP7RoJAJTl03CHlFeR1qEpSfc0GVXbVkpLVsr
KIsWR0e5N9qO4pbeB32l0RwxfsGU8ujYBwQHDwfyFob3BD0R7r+SBslvXwc+
dWj4wj3Y32ctAnii92HEtvlRy2LWwBEusREp8qZ7zqIJXUY4JcOCxGZmvIjm
fHEWTNcwaUgtXPgfmsSBgJc2l8WGrU9RM21E8pMZ8pv4QzJzC9NunMDZZoUL
fULNwFOZ1AnqEnDJzqWSdEBqygqS1Tz9qKzNS+Sod+58PBjt7B9g2f8elg1Z
qcnEqA7bwvXRcxKX6lvGoL4W+7uBtBNBs1x4mJMFyaxSM4XA2oGxdwh7Bw5Q
FLfpZBiu7nqRLPKb52H4/6fOHPXWn8cAVWzNPY6eRw92x4O9ncFkNHjxYnD8
YjB5OpiMB5NnD/r1l0CixZf24aV7z/cYIMtNwEf3f+2xHttj6YqB747q62l9
80PlXsLNXT3a2Xl014uPgavJSwOcafdeM02La32JZ7oYxZMEaOKTnWR/fzaJ
92d7u+PRaDZ9tjffuXiG6RKPPz4O+nxM5vPxzl5y8XT0bDSePZld7M934/mz
/Z3ZGH6fxI/o6R+38P9/bM2rgNul6RStlker/AL1He/tjZ5tyIKX+k7HfzoZ
PNl1GDyUkgMPXeCw1zZCHVYVDUkLZ2uzOB/6tkym8TKBUFSLcQlzpqzjdlK3
dnyWg6Vdl9V1hOqs94hhzzFdeFOp9W/X9drQp2Y+EO02hM5nVg417P65rUd6
GjRYD8NkmslnEiTSUeahrkedbjKJYcOhWmXUu1fiBbbPW8nJHSvBYo7+YKw6
dR91kXXkj9GXER3+KdviyciIznvnEE4dHw1STcPyrt2TIe9RflbzUKSVL2qV
DIzcSYrvlDBwhj4w9KxdEJJgDAK1abIpuIs0+4BRqx3e3c/MPPaK7Ab3p6QJ
h8UejWP7s00YFLzlSoxgpES9taL3sHW0DAuLZKm41WL86BlhcrvN/NG7hwAo
TSrF9JIlNwNe0YBWpAXE6tS682mDym3FhlGWRy+b2fp7kGzqBVVcSoST3rUJ
hzT+EPuZKZXbDsxubEJzgF4zbxJoGQCJX/OQvElPI2VIjWq3s/FnTY+gz3B4
3na+WkThrm5rOCh3XDO6rs0s8V01GFkCGoyU41M02QWpgAQZVCBe4hQ/NiiL
WS4iBKp0IO92LLO1yxwtta6Wd2XV8Jm3LBbXCoPAXz9qhC3/SR/Xlx04Xzru
XBqwxjbeFnhpE/F/1BT8QsMmpX5clrtUhdxx8gcDfv1Bcxk+dB5OUx7r33Ev
pL3eCZBR6k5MGIZxRsSrKBRTx3dWALeEYMK+2iEkLhFF+5LjN8PJG0fUD4tN
uEykuCzXSwE8nzqhrUgPlBkl0a7XVLqH3T218g+xvIosRqvzoDfwKpmiPnbB
oHbbJp96wjHN62w2jA7s0pZU2ZYMLT6G3F5ahQfOqWESjyLuVos8i7JgOOtO
vHK+Wgiz01uO165NLFU7MbPpmvziVH7R4FzpABJU9nVMrHBJP2R2cWYeYocy
sYUjmh2JSHNdWPE6kmmOc6rYaf6Qb8RLRsV3YePKrqZGDxuEv94HXWu7cJEI
jBruuHiPPkxvAMA4C/w6LR/RxHhAHOjYbHnZt1b4du4EVCl8qq0+A7yEiiVj
q3ICY3igvzq8dHrbRexBacQ3nrFdcnlR4vpTk6/MjKHO6HrQrxQURbM4aExR
UeRGML5fqciqQaBkobRuAY7IJTha07Rpdr3NY75KClh7jroZ3KlKXvSxU6Wt
bR0OMEQWEOwBz1Bbupqa5rJYTxzNsuvd47lmRluwCaO1DySn+rdyxRBxmugU
0zFRJ3k0XQDqD/A9F/D/kKrJYyjOsTF8qrbzgrUdHpoapD6UctmDDxSGeR4W
a8HjfX3w6jhMwLCpdaoEhkWW4QlqO0slVUCDWkp4X+nXr1oI2XnogBz1aKoA
TkRy4as1rgu7H8k9wCuG1qWAr4rPehFPvfPRJvXSY8OtMY/RTBQPUk7DQrkm
zZHsitIOAfBABkV9s0xqcHBBN/J4Ove1hdJ5t4AQiH0fcQXvXh+cfHN+/N35
+1sbCA7q+S28PEYITj5XVY+CSLLG4vU+mL1qOHFp0A3Wx8yEiDpIDz5IzOKT
OqWEPeHKBTe0I7xcOia3vhcciVIvjIXAQ+vq0YsXj1CcYheb3IQatER/rCzW
kJVyF5NqSe903wUlhnBw7abOGbjDTUsZj+61FOmM3LoczKrN8qJrPTCDXQ8+
HaxeM9UluxapBEcxnWEUE9Uhw3iyA1U2gxgnW+Y8lhRMqp9IKoCp6OxSJB7Q
wR24bx4QnvGnx4tFukID2OG6uE7gK+atWCW/XiFbYiSBVXCRKez4tbDRVHD3
WUWdua6D2kGVF7Ohx6HFcW6bCAoPhr2X7P+ES76mVo08iwpSx2fjvScc83p4
dHbAZPLs5cEAPu5HB9jJFr88OD4bwO+s4B3P2PLnSB7uPEpm2LKipK+GBlhW
KvSkhuZJMkpNtHqbSF4w7FLczph/a4KsmKLVQenpTwWfxGUV7WvNq4OGLcJD
3Hp671Q91LZG7T4keM60NnE98NpD60y/B4BXIS8gefRACWSr9qi50unoVPuT
QF/y7UAxByUjYJTxqlxLloaUo+y9On6zbXNc3uVlNfjjOs6qNeCVkRmi3rs/
Hm5H8Dx2doqDVGntZqX0d/VXoq5SE6KWJ9u1ATKMEusyobD1lAeZadQf9yfb
0Q1J5xh/urj1aaa1npfUScXn8BIQw8KF9RKzcPvagvycSgeMFbFiGP0B4z0W
QcuLDX0ImafVexj2A+kwFZPVrxNAWM/r1ERU1C6AYZnekXcOyfit8QEdMdhW
0WbiozD2thtW4lhYK6vc90fqDi007TFU7EcwkC1GY1TCmBFPQillglFNxPuu
rd4DsMP78BI2JWlyjSchJosG61L7Ud3HZDJqfmzIm/brjnquvum2e64jvrbn
KYR/tgW1sFORyQdorNF+WVvp1jF2eggg4kJbPJmPyfDs7STMuxfxRbJwl9IS
Gn7JskbpKEzEzt1OUoHpeoYVftgyJ9IHB22gMrK8kHIJ5GiqMVLui2TZkJTt
4dAG9JRqMK3dLUl2lCedmcQzv1f7LOXyNYdosyMyALJbj1XrQm0zVFZpgMXc
BuMx/jPSDhsd05J0iz26Pas7OfjmQOWUWzRD85MD/QgVd1oDtypd+N4e3KV2
Rn2iCa8jlbxksp0BrMzlA6PYcHj4pu8M+eS+medF4Fg4yc/FTKhitKudR4EN
8MctytpAULCO9TyeUslEL+/INIPRk8GTXZRT6DzNp/ARf1y0x6mfHB8fg6b8
5t++oCIYQ/GrflHbHDdCnkhEHiWKFNizWG9pD+e5SKtt7+Ygd72AvfuWRT1Y
N744bIPpLk27Z+B6eBXD/8Y7LYBtuG0C25/TyXALslqzg7Jl/uhJ7UC/xgOV
ogRS+wNk+WzQNSlFgllCeZWi0Mc5iZSyaYUDynov8GxmyeLWSR4bJ2gD2pih
Nt5rgojmd/nuAXxULL5EDKSSMEJB4E0gH9kUb0O4OdaGwysnvjCqzE4X2e9w
GAIXlhnoIy3ax+E3IJePhjvyxqdP+IHrx2Lb33EF9h72baEi/nCN1axNtaOC
RbLQyF0GDSEUVVjhTt+rBGVE7zYRRfTPUFj0JXW6sjAaZd9dAKVmZAF06r3u
yGHqpIw088FoK5fSVK+q+tnjDl1LFm+xCR+WJ73o5nbR1/ZEYl0LSjCxAOby
U2sNFHCJJXf7I/XK4otp/xc2ke96ik70MsWaRzRZ8nEA36p9LTp2hfk5rULT
stAf+R4EC4zVIMGxtaOqI3M904p1WxLn2TjStD0lqjGz3shJ3b6u0BLekDQK
bj/XMRKyhukVVaVA4JtmUKRrd7eBxTgwFyXmtSmyLL199S6sgnWmxaWfDpn6
Px2OrXuF6srhRWJLV9CO49FHY9FDWBkgsY8+NB5E9RV17h29oyot2X4Nuq+h
CjgkBZP+ryPBTVxJAMIds1MEqtOM07CKoihhyJ4f3QbuQnyD3Z9or5vD8hI2
Y5v2qLdAywnGJA150a+BBYyjm1KrgY9uA74eHP0Y9lelbhfYcI1KgxXpqnSS
vvcF+EJAXDzZ9f6zTRNds8p2liFOBg5TEGecK7R/YcJsNOTP70AzkrnNSpBq
6tVVytota+WQNjTQFJCwwcU4JzFDFI+pSkK9ua8VpslD4LsNiLXDiqC1Sg89
ak4lPZik7RD/Zxczgg+o9Gm+itFtRitTsAxFccBHaBp+66Ozk3M3lgmeym5f
olup+odWZpAIB/yQkvqZhQpwbNwBraJKlmQIcn9FTrYMh2WLIHz5nrQTjWBz
fXXwG8LtoKlnPBvgoKL447KOjl6LT4/uD/xpTXq1liP49RYu6MuoB4Knn/05
YlIfPvoXPzF8iAb6/tZ2awSfrsW1DJINU9AdViRpQWHCYPUINoBHS/GJRHEW
4yQa66EVnUiB9p5h24qvVi7JuIQk6j5QRoLEs/iizBdYrIO3rqlPCqB+9G8/
uD/+7YffekHHg0vj6BqGOpRGuFehDCA6vmKIUCVRI6ewfErWQPEERVH5u99h
vWms1VWY1PFrEYr6naQzHiALj6l6EO9DW32UPonCDYUmRV0fN8nEJX7eAHZT
XNUIL4ImmUltAEqZ0pn820EJuGl+mZEThGl+42kpIyOnbH37mhwDkBfnJOKQ
KSHklkPGXurc6QpuhYUlL+Lph1rMkmv66JNaw/KSzoIsNSZZ2NVlh6ZGHldK
adLMHuPp8Aw0GygF6AGXC+M3aIrWK2mbr0hZLx3FSbFa5YTLgIIGzYCdid+g
E0UaKMzwWFOza+eyMZhr63Q4rMI952VKvyPGD80bX0Y77i0kgtJx2lmN+U9i
71E3DJAsiRVGSzSyKGM6VTjyrk43RwLc1mt9V7y+VCvlFb3RSShppkjU+xcb
qoCKRmZualAtzBnyvbdKgWxqhmAxJiKS9nBsQtaF19hENXLT+U4xjK4kdAZm
M0UcM34L8Q5VB5xNiv2RVaLRcRi5CuYgA259FKHsYfSOTxFkLz1PlVh8YSyX
Pr7A9iFS0qSta3AQl72rNwUHtgViTJnIMIZKpAcWJWpCRD/aHbrFMsrAyqRM
J5I0EvkU6SRxVgWMWV5SfIrpm65jeImHfGLUa/Aq1X5HWJlMzUJqGHRA0ERa
LJWeJdUAmy3HFZVc0IUqNRJiwV7BtJzGxcxzGibLRCNMIZqtLbfb0pfhurjV
YBWDzuyFC+4tM5DeqkzWs3ywzU3SAcvY0sOarikePg9Kz8mGgfIaSQmIOWtE
wnZC8cr5dG1im+HfeLcwB1W8eYGv/K22wNGj6TUltSiHo4Zlcz2kLwRVvsS+
ATvYlv4mF8u6I1I+FLLZjUd67dgNtoy7SyNTB+3a2K4SXDLzBh6GdQuk/SZ2
PibPbLqaWVPb/KPk2dZWFz1zdKH1+Mmig9F0wAEPhcoqeMVI6Dxw5k46vyuG
yJAVzUveNsBz5VEzYJJaBRaHdMY6qnefouZBATUe3VNigHw3YBIpzmZ4xzsu
RYqFEIK0VB84Lurr1G3RGv8vXHPB9cpUuutIEB1GZ9QGwA8h9EvNMElYhtc3
w6ZadOTvdPIFVcoOfQy2XTSZGqpaXQIK3UZW4Jv6mORvqpAdLKbHvJIdaK19
HOuFpZxBcRh9n7SswPj4P2ToLbHpBFSht0RzFiAGSklYBVWc+6SA6nJY+gha
MxNnI4lFqnYGPaGTKRFc7Y0l4iG8Fp6UK2ltmxuR00SyElwRzXotW8E0J2oF
6Kk8kw392hBItT5Q7pNr9FfUlKGw/BjDDCPI+oH1iHJC0OP8nCLBXkrhLrdH
ru+s9vJ6A3eKDuNyXppbqbmbmGHZ0ls+qCcYVF+UbEOun8llZqmips4lLj69
SH8q0sG7GLlegU0i0G00eEEy/m/D0uFMts6vXGUiW2u4pRS3k7TcYUhL8KJI
yQyWY7sQX+1IXnMOBSn2q8djEmuAYMFplHNlqjYnax628jOxXW1lQb0cpuDw
FqZw83CmB60Xr8eddn/buHhbk6Eja82yV2GhDk2F42SK39poAFe6gzeyMiPa
4FROHrA46U3dmzzlKDlxrRIb1Gp8BFl3oQzYI4hq1Di1Ed8fbM8k+7mMEd2k
KSq5tcehKUSDJHDhLsNZhz1LR5cSjk+GpuuJmGFZ7nN5urU6LX55Njn3aVBY
dxcdRouFtkF4rEqBVIyZIxHsa3FaoaixDeK1ypOnBGTac8JGUHU68Fg4lNt1
zqU2iujuoQZlN5NqPKrUHODsqAZyOMO1z3PtdBfQRm36WYsqKKsUYCNuQ3Wj
hHU+634Ujga9KYAyDDQoS+31LituirxbDL+ulA/Mh3xskcwuXeSWIymqnTiP
jitx2w4yDWX0NodaU4ikraiqC7fBXXhNAhFE62/Wcru7WRjnejOQ4IkB9tyg
Q36hBSZslgsFOjEZ6ruLEwTB4e2Fe9E3WogE17dwolhKDUoRT2L8Kfl9HbVu
BZogva2ogn1GbMOABdp5qIWQjtnn4N15okyY8nturm5bLD5z8sEJFLQIr1St
ECiIuAYLEs3ExylXGuxtirpQ+G1QmbeyIpgtvCjQoJeb29gImugmLu3u8B7h
XuBOPY9O2gu4BknQ3lIGmjeuj+CKixSDggNwHNHtCQK8wuTSzFc28ELXxoo7
eMN82Ukp7liDnOazWnF5my2BlBHti0Gr5CnVWXxZnbC3Fnn9XAp2sjCqRgu0
bpDUIFAC3aUtRVfFCb8gFCfEKu6i+72woc/XjU8BUONomX7kLlsgaOE9eHl+
/i6wZLG4w5JZdaU2vJTFJCaVLI62Vew2PqZNVP6ipdlEnb+FtatNazNL0FRG
46L8wdYdMaazVWs9oaHwJ3SRga5xFZfeWuU0KC7vuKZuE34+od7ZMOqFkQXO
To1ft+7Hs0fJXEMNFCDtKr0Z61WziNXd4/u13DH+ZLitdYyNUVcTuePC5au2
0k6NY7mRCq3ETDBeqQqel+g1aQ/C+ZFLzteL2dJpnn4Mj7r2AChHUUxlrIZU
5IozdsKt0/LKIRs8vSRvPtEJZ8ltWbYvW1BjLLailnKTeoKfpqpMYy2sH0vY
Q60hhlVuXFzTn05PcFAeqnE/VYoi9N4kQSKzxMCKra2HFIp9lFDEH37/6SHW
hgck+ZGMFa+0QXzY0OSd0xXVUkGk9JhrrA0A4wbHH1cs15y+ONzbf/IM5Jxa
HdQwSFN5VXvBV4IkJT1SbISP3ak3nxI9shStRz0gNON7WR+GHkk5OM390+9p
zfQ1/uZsqqbTAuKJWc6701fvUQyCd1bFB/iNghJtbyqKriLnYpFUjqkjs/El
dkjsjV0mwSxEBvWxu/WrwcEvY55+TGYDEb/WWYpEBrPKjcmOIdeDBW/zfBR7
EqyuHIaACOYhDwd//erohQmrox28OTiU1vRIv3BRJIlwFAfMTN1WkERS3bG3
r97IImA5SN9dNVJbF82gtdceanp8fYdMqLVlgZRNZSDNhE24vnTtJqUgLq01
CIpE0t/9t8EgOgBSEmNTTaVyPtK5nF6B+rBwcSOUR4xjvEgvkdFLeM6f19M0
S6djqgV5/tXRcyDTN0UqDX509MHg96avkMODTw8VjcVO1Hrc5bZ3cYX0wpp8
qFwEg4kty8FUYekl+4P2EZgk+jJ8oReV8QIo0cmrN9F257tbvrEVl/dvYMoJ
Ygo552G4oKgFEUgMz8DZqT6Uhhq6EAZn9nIQq2FAKyHalB5D9vx0voGKlZyW
JP7gbpgAwF7CPRq0fmeo5r3me3VMWU93T/kK7ik8aj7uR5RC9eBBtH3Pqej5
+00FjwZT7Y3GMpU5+VfJdBp/8N0dawajfAacHwfbbnT2+vTp7N3+zs5gtL/n
bAFFUlb+CEMuUPdi8B1BEj4GYQT/O0nGnMOCf+wmkyVFa6Qsf4QaKsWxYB+v
wYfZXBNXMH7jI2skiJY+mkEa5SJnTjOWd8wtrGShrqeJVt/MrvMFWUcDwdut
1Dyi/BO0FcySEuzXOSZazVej22yfDPPcWPP5GSjtZEW+tJTVsXafWUIXmu4L
uc7x+rpKe+cv34+H+hUiTFDzz8VDDnxkZJNZYZji91HPhOsRQ9Hgxe8R1F+/
/55TcbYbYRZah+LJUCpRmBTFc+8wokkuKagECA6mDvL009u+l1gyVa+RgcMi
0tKkWXTXNndiuHlthc4pIySUtrrLAVbC0JOTBVJ0KmUziuWmA1AijQhHltVJ
bbT5OmNgcB7Y0919KpiygeLTkF/K+73o+z7Bfdt89F2foL+B9m/cluR2qhBP
xJuUK/wSCadvFi3YGGsOankns8LHgfwC7g9knh6hZJ/3tWHN7m7g9dtwO/R2
6v0IFndS1+FsO8iy3n+jUbBOiK+bpsF5zw5en9NXuJ9TOBYpb4MXzn1nV6eS
GJFBtq6qAEzyL7xHAwkOtaBY8xZy4bTv+nwN+U6eRr1g4xtr/7ckB273t7bI
JmL2zsu2ZAvJ9oajwa/vOhrjl/upR0PTtB8NfoVHc/J982jqq3NHw+fZdTgn
33/W4XAZq+/7lkae8OHYRg0//XBk97rwoC2mahde78LrjLIs7YqPbqPmMDD+
Hm5jcvLnsu/ExBIesPKscyqgMGziJtzkppuw8gh1hNsVb6YrsDJ33jBmD2fr
k71Hw0Cl0kJfzeTbWhfzy2Aa86Z59A4RGp+mCC0ffFFpyIrGDbfE89JrHNDr
V+ojerXDk0bzRrqe59GaHgnDe7cEl6PoN3Y4roIMz/M3Omiq5Yz5Y00h5YV7
TwLCVfNKt7a+9XInYk1TE8bHN2k6ckXdItSzYVIjm/2HmTnAvxO6MvDLbktB
rbKl1Men55Ly8eWDKWiAgMYPusp/tD26UaVZcQ2G/xyNphNTvWLT/cgvod9s
WoBTc8zXr3+mknPXfCRFtMwnF/Q1PLYPG//0P/+P//3HH3+Ut/tWKDNJ1KAu
wNE3lAzKBRPm4PI6ZuKGCciZ8BTc3XsZd2AulcyoPZl/Eubg+EB924avKSKm
B0tbgvmds6TXXZNI5q9aN6+TKfUk+MlzvVgXZMuulR7ADXige5NgN6NSwkSl
tUKd1ZmQukj6q+Pvz85Pjw/evB8b5qA8hYS0CItbMFWiHxe0+d4xDC/pRd2j
jIJRLLZsbwFO0wKi9gFYIBn7AkIYKBtP5X14c3sLHjKFnztGmChhpR+DUNtb
J3+2A3S8vxu871FFIECSyIbX94LXmxCYdM/PctwTD4FJAIEJjKDm4Y0jPKUl
7LYuAZ7ZBEIeYD8YoA7C3Tvffxa8b0GIz4Bchs7OouV12Fo/GgEqXj1yFcfD
9XfhuMsEUuKmqUCvgqtWBsZImHeIU+HtIskG7aNZTo0cXGlr5+qsR8VSkaYd
TDGCyeOiusmLDwOgHZcZMNyE+a3EjMupfXooNn3JgWjVJwgGRpnoNhH1a0q4
9QWQyajb/u8dMWGefKfVVo6s5xQG+htN2k6j0A+d9CvtEdu0D4TGxr2xhaoK
gxWNf8D60VhkZwtXuQYdakoVKdEjXaFXTyeEAe06h1Ev7LQJBziLHtA7D5ja
Eqd1ZpWUKuq5x+0SrrCXRtD704e96/RaNTN2hakxt7W4dqUhhPFS0uI59zKO
jl2s7HF2nRY5Jee7zAZfN3B72OZfs8U+pRhmlydLDhgPLSmWPuOCxGK1YHrQ
HXAzyhX1MHf2nrRmFINn+BGXPlGbjrQ0RqWtrVc1nqc3zwJavB8hknrly+wD
/p1jsSVdUFyz46CyFL7U07V0KFiiX1mqFeL9ne/b6Z1MFb7FaozJZ0HFqNa2
3m/zNb1ia5roaAMaDRADZmhoSLbUUw3C8LjXnGKefcPTpE50AW47WsVpEXYd
8WtfYnWpCy25q9FicL7dw7kavhoPQihyk5v0JiEXJQUPY+XZfj1ADFGIqsZw
0dsryZwiJ5uUquUCcnCnKdwk1jL1M1TquEQB1mutRwRR+0wjpgb1PcwsgsNF
4uNmTSmnHBMW2Gas54YvBP77xHCkeh1Bb+ClS2ySh2rwr1VIIC11jjQdr6pz
zb/wBQaICngX36eHJHnW6IoKp6UtTSAL8KHXWZAsC5i+Ql+xTWYs20RdyWXE
pGbiz6ipF7EmeFgeV7bkc4XFTflF7RXTCHwImiTZTGkWFCh1nbJJevTBmTyh
FX6f7o6JKB/4srsdFVR90n69DNAQzRMYlVRrnG46HOFv2IZ5xNYq+vuYMXDH
R4Fhoj+GFmGrsAsp+Eg8ytT7c0GZPi83iNVSnsOFmymyxRQdmGImV+JWF+UU
C+3iWaRGtAvjt1WzMcspTENxo3BZQm2ztGF1YXhLsLXoEVzDR9QV0wErkhJa
DlRScKEjJiV6y/WfSH4DAUXKQf3IEZTkM86Sm8dAKnIfwO8Cb6ogTI4SjagA
OdeWTZIV0acgiZyDvKjGuW0+Y0Lu+3UFEZhPNR16okgHjSgZJGJQnRgZ3lZh
cCHKdua0tCu9CDLdpVRXawxdr9EUTyNY5DoyFitxo9JE+c2GvAxfIqwf1pQZ
1lIvS+/3M3VnbF0TmpjrUNa2yyDw7kaiSY2ugTiyD8XmDHHnHK0H+XEOyxGl
rETtGSsoN14kLsmrnoUCDHeZxBmRN4qj5BoefQzc6nM8K6gsHKzcAnaAz3gY
nXJbGBfVa8+4ARxdmImfdDkcKQvodPtN5FyW10Z1nsyp+NdcZmxfsrqbmMYE
ZFavXeQohouFozqpGqbrehIChsAlwNQrlKix0ahkulKWmSa0AjwmrryL7lQh
L2blIKNeTHba9hOkgABgJrmePBX2OcmSV9zJENVdSEId6jVUZKmqJaqGkbIF
ybUSVB+kKSqF5kvxc6sEt20z2pxMUvVmi7jjvu8k0m8AxYcFejqsqifFvcu1
dVnQ4WGDgIVX13feQy2VUurFEoYVDkxJEzOr12fxOdNjIYCuyQLrhytX0IkE
iZtA7j9HNiEBqT5Vb3Fr4EsuBHSl6yQ9H0me29w9Np/T8lup43Y70NzOAGy0
HCaYcLWSFqEIqZfzdrlhxAogRZKWqH5yDnRCMt68bSifLle3VNbFpzAYg9jL
1BfXC6Szra0jJ84GBcWdFKxQtPJ8iMxZDUjDyBQ+NDjsQtbVCh+Mj9n7ccES
HIYTk2Bv9GMzkAZfUBGFAK42R5dRuB6OjVR8mV9zTC2CA8Og+eqXXJAaExuJ
RgydfAFwXXv00MR3UjFEz/Lh824msb+Y1DxsltCXLKlmXTb3YL8lccjM72pO
BSLQCCSe5UiMWC8Ccd4+UktA2trylRB8L8woEJPrlYxMNA2F3rW4Fv2g7F/k
TB3vW3Q1655rpb8tiisxzsZD+pYU4MdYUXQ4HE+40BCnwG1tb21Jhbsvo3+N
xl/g2NG/w8PobOQKCl9Goy8webzFUUmuL1nWoD0atJ5YjC1I3cLRy1zEt83a
fD4+2wcSuCKANre+3nMWiy2kFfkD6YB4QgTKIIyMsjkr9ZB9eOOQVncdg6SJ
3FYMBK3ZoLZAaUe6KJIWo7CWFGKrAbimF4+r/sY7kwq6Za1kmILUNHDATfJp
DTbFreubmN0o5ikP30PDlWr4XoOplApssGk2pkqwL2G1J5X15LxGMUi+OMwa
Ey9AhdElX2CqMR++x6KYxJgOTAoIxElHAUn+zofgYeOgWl6iBDzTJBeJ2uDI
AMLjFDKFFwOIffpn2ZQiTjOakM19aVkn/CK4BAtomSkoUE9iW7OKJSfYEGra
0SQ23ar8FF/AnQpq5UOpxcdtvz47NQ8MPIG4Q1fPRLTXYdTD/keUSNqCBds+
O9wN4zJBXdbGjVqgPbpMWYekvlZclKfOCZxM/VvllP5t2ArWmyipyrxIwy2Z
sw1BkAtp0EdkvR5bbVWgf6qkvr7ZbY1mxYfvKC/q1mDKYtm7Qg3CeGiKjK2h
R3tibhQvOZkMb1jvAgQFkQOWKaEsALkmMYnZHhD1MpltUxknOS2/GCfSSGFy
XE7bHSOTf4hZiIbudazfUk8H9jsSvSHANZO/qAda38CG06Xw2a+lBgsddRgr
i5xBrLl6hbmQ6cY8G8ngWHIaYWx7aA+j1xxLqubMsG5o7otw0tNE7a7ynGpQ
tzIW4lKkQFRcHyWarV25/boD7AturFQjrS2WPiUKxuLX5LL1FGxmJv7mvAtM
MJaXYDWngJeE+i+zAdUr/VobAjmhGLGEo6S2r1DUor2/qw9IKjum16UY2VcE
abrdp5vaqxrrpSF7QFpDbwSatpxJDWm2Q3DrW871NtzUa31WOXOJ0szoU9fP
TEgE2QkQ55yNQO6MVcrmnNBt872kCOBtnZ+ztmzojz+kf0hdvhbxfIzi+Xij
eD424vm4Lp6Pfw3xfCzi+dfvv39/ePLu5fEp9UYad1TwNJJz442B2gkxWNY3
McAA054vLbBJhnVnJB35zOjD+h3tEPhCCFJkXfslrctq47qs9p9BXL//BYnr
aUhc1TsbBlA16SzCdS2+gVokJMUKYXxfD5fah/86grQdbUtzhJe9bReL/Lkh
ZZpEg3YRuf70tnVY11Df6i/BesRrN+XtML2bxpiVB4spQCO8dUWDAmrvhgig
wcFQpNWYAGwpoqMBUACa3/3O13rR2Cr9i9XWcfT734f3lY5G41dEpPyZOQKu
MxFACWvRkAtlsu1orQnTCs7K9HLZfE73XJ+rpd+yph1c07hrTfQQV8F38UTc
8MI2fh9YlA/7rbMri0zp6Mybu2OoFeCRMd2A3LmNCqF64ZgYUWdX8zr1CqLj
g1kYAe6t5QqD/fUw4UwP6H1evGccB9jTL7/CGbfPRuTOjfJIS7fMlTyKC1A8
lP4+16Q6TejaHe7WKt8bKt3WD2IToveFQHTlQbQcvYoHbT2WmIAgdetZ7ywH
dmWkk16nyQ1hK1XGp0DxNirxXJQZnxj9ZRQQH6Ay8oji2vuYinfDQ11kSceU
ImpfMiIQGbR8Hu3fPqVE0ADbFhW30rb2mmxFSbwUYGq1SurnLd/4+pEmepnD
rFuBqPFZunPfx5FEGGR4ps5W9LhuN2zBPr/37S3XS+dkbka5swOqhsH4V2zn
0FNpQOkdJ5jH5rtRur6lpqOAawv7o+nvQ5Tpv5A9j49ImacNaK6zUG293ohg
biSCmAP30Ybqsmy8nnycJsksUCcpNM5EvuvKqUPSwI8wNjuweP9lgHPfAZsw
G2tRUce/hIoqWkDT4Nmuo47bDZN1jXT8GRrpuE0j3eSklrvuFLkWH7XW9iSp
FqsHUWdu/ntvUK0pREsDSguu7jNDg0HTuc3rgTVjZEhwYF3tdz9Tb/Xqqb/k
VCYknasOuy1k5E7lNeQgA63JHBQwIUerqToiAQx17oMZBquWeWh3b6me8h1i
C9dfPN3e1FsQE6O99clup4fFgaSHPEc98En8mU0RLbzes+H7VX1hbSCoeKV4
XMt6Cp01jfOO3kizVim5olw7GHrT2d3fylAzLP76VoammWGCZobJRjPDxCjJ
k7qZYfJrmBkmYmYw93PSZWK4n2cn3INR9O9yykyaTpmNGu+ENF6WmQwDUAHq
n0DvpUX+XH133NB3J23M2iq8k1DhPdFUGv2LpasJSpaR1Wp/anp1XbsYd2m1
k5+o1d53gXeqPKOuRd1HrT35fLX2ZKNae/Kz1FrTK26TWjv5SWrtr4MKDeYz
UbXWx5P9cmfcPtuvq9aO/yFqrTn6n6DW3qmkntyhpLaTkjYldWJpV1yLq2YY
11ity9neG465celwUgNwv16x7jNSSYP+DGEm7CvcV3XVlbxKSY8oW1JssDhU
w5m35fx8ypJjS5Nf7qSuHj1qPRs8GHn8lbREoTXb4lwB12go7CQMGCy4h64+
8SjgdPVQWT/5fGX9JFDWT36mso6rCsQbJQKMF3hQj9SyYyPZ7xRAdlUAmfTD
k+ZN/GcJILRytQPZLMEACVrLZIWBEBh9J9k99TTBeySMmaIokuPY5i6eiL8l
SAbZoHZPvNr9ReT1hw6LSo8008NAlzI7MYlFmx1Em1UQDnylyGtKJdCt9Wv8
DGEq/MRnqEpPK6lRyVTiFwV67WAlyANDI0CBxbaH3NOukeLZnB3AuqhtCSM2
G7Vnd7l5W62OmjdJuqTccAZfdhbg9Pbs8O3psclLaQujaZ4o5Y8asaFWYVe7
WZRYsT1FBz1WbY1TLvbJxl7Q/qR0O/Vv7h0cvqKG3HFLHOkG4JKG2V5cn/Dc
Q/Nz1n+/gIjJ/cIfJp9hbJr8ExmbTu8yNvleAN4966SOX1zc2EQ6TPS+5/UB
Ha5Xm/nZRrCTdiPY5L+kEezkLiPYyS9jBJv8w41gk1/SCPZPxgoN3taYoSdJ
/4nM0NLFn88M7ybfjj9smP6XZBd+vn/eIKymeXQXzaO73WnQXrpwReHevjs/
efvNwWsqUcHRb0MqnA53YJ6acv4ZWlslE4kzcS5uXX5ULf1S93mPljdN0cYV
JEpmNa7h8FNbJzH+ipxj81Eod3ybMoOBkizyW+4lxcqEJAn+Ih17+gamekJh
HKJ+uqZMM2x2mJiUeBLX7BLjQnI1fTU4aiKJ0eIuo7ZGxznNp4nwso8hZl5+
65o71J6gkcPt+sOR7VrhSZOzwkbS0jGHmkFINXkPmGb6ey07VIIBAGGRoq+c
R7Ddwr9rrOO7dQv/7q9h4d9tWvh3uyz894rkC7fwGZF8u10G/rph6J/HIrR7
h0Vo96dbhHb/IRahXWcR2lWL0O4dFqHAJETYIyaeXVcZ8wv5+3PSgmoYeG8j
TM1gsPuZBoPdz/PT797PT99A5Zq6tPtPpC7d6Zv/r6gu7Vp1iWTfhsaz++vF
rP/DvcksV/v+dg7P6jYmKTZBuS2adODpMsqLJkQMvzTl0qLeh5rspLoCZyO4
tq0V194xlX8+UPDzQyk98xLeWnBpG95pR80spn0UeE3VGoIkmyDx3bXDqJXO
IIWH61Asbh2MfSpVOYxM5RjzuS8dpgWinLaADw3woQF8SRj2BnHiQ5pxA3V6
QDqDIhioP7LmyNTzoWF+0qjwwpoSAOIUBnpweZlI7puMK/fDpRi5ajai2biN
1B6lzGgp84CNrrGgBoG11kDWlBPiYbTkW6vC7qQixfHgkIZAEFiIriVIoUe1
LEWV59YzF+vLS3zywufWlx/S1QrvxDwo19H3d0lvBMBLmuBxvxYccS3th+oV
K7j+giu0QyUrGkWRUtfXhpxzNzHWewN2soADo7tmtINmKQv6VpUluqXNW8zK
nmtCJboexlhWzQxATZWcKdjd5bWXDnsKApqT1sekoW3a6CtXJK+ed5deXlU+
867WJgsPBYufVdybM83WScvwpspTuAVBaZLGEZvTyrZ2Y64NXIk7s+GFwgbe
PERQy4W7FQuGxxawi/hWym3ZVn/G2oJ9xwt+rNTqiVoeKcmIEdQgIkmeWgjC
VLvhuEpkoait8mu/oHTOA7Jkfnx6+v7w7dGxz8HHT06+efEWPsEc2ZqY7mp0
EqVS+EudzpajwdKaJj/ITTewOaeNpF2MKRUjF/eQ54IgptKiWCIloiXT7o9a
p45pFWWYLRaCxxLF2ssSrClzTVSNdYzrxCWyyimVQ1ksQUIXaxr1DbVDNK3A
OQQZIRAf/PZcExos5zHTzJ1WO8OdLEUJiz8C+pjKqbXzGgIQCnLEhz25tE0H
hR85KTasQxzFcXl9ufWbgfsxv7b+3fnzm60fPAr84AFMjZN/AKGQvZy4pg0/
P2z95kv3Y35t/bvzB9ciPzvRD/Up2FnD2Gdxr2UtvxBc5GcEc1fo+TZr+VPm
FQw+vS64/LJrGcPcks7t1vItNVVtN9D+mmuZIFyKtZkE4UK9Mq3p3iVnz375
tXTTQb5qLVTQ38EmBUHKSLbIM6ZlW1vHniTuqJxSI2gRNyK1UhJ1DRbiJWTR
FeIsOV4qm2GTIsHmzAXIa2kiNQvCV6gRrhHftZU9LGiRX0bU5FIlGV1hvZIn
TGfbe4Zl0pKPnE1PwVYohCh3FiGgWbmrUZtgR9QgkBk3ST9hEn678EiAt/eK
dhYcwcgVbHcKgkjes5wq9VzF6BvwvQnNSoV0Dz2Jc3pVRLYYTrOwcXdxdLVe
xtkAwzK5HpovZO0AQmKFiHMwGHYFrLj453F2uUjLq7D23IM3HKIW1BV6wJzV
DF/VSm8hoyJUYyFEyovNqxsqpZeBKJ0kDhase3gZW4UewtkV9ppBEV8DaNgS
FSaaCvyEr9bWpsvym3YWUa0FCPeiXk5aGqBU5jXA4kvNwWYidqZE7JCJ2BkR
sU8Pa1UuAqQY80EG4gapKSReSjm4IMff9ZgOSKUtm9LQolvLQJl0Mnyqnofn
agnF9SorhS060ZiO2uVuMIqwvFErccC1Q0mIwe31PZp/6WuGSEUWPGtk71oh
I3RFarWFlsxCV7NbtrZplZWpFXPKRyTlWriJS8FwaC8iUrZM3gVOW/eAxcrN
AIx6KPNJJ+oFuY3TDQbhsBwDJ/dtb9odjdReGsUu1bmtmkV3al5CPw3wH53F
Bc+FUKeuhTgw4Thr8i0FeO4+WVTJutbuab7cZbcokOyxMkvHoZoxTtG6xv19
CqxgBFc0GN0Xd6nf02AUUn6BZ2JkLREsjnhD025AQb5JLnMEZ4q1tVmj92YS
HawtQKveGLre7liq4/S4fNG2S9+n0olMTIt15q1T1v3UiHBm6l6qyh1P6wY7
DdBZY7BCfblyFqDUJFjNVBbc2agZ/VrejWxLPQKRdAVUpVF1pWUvwympW5xb
HRUNFKMEbhq2kzPGUVskpPf5KvIdRU3VNVpk2VZkqFGaoUYUCGBOliA4d5IU
PvjOBg51gOJ1c9Dspg8CSzgbPpdaxWybAdIoEQX/M6dbSuV/sWZiSdewUFG+
wCYMZAu91ayRFq0xX1c0DOBY2IrBdo3DHkXstm2/qzHZ1ZoVlmCV1MZarRx1
tiEO0HqFvG1XCxPJfj38g00pXE17SqZKw7DvIM50I1qLqTla22L7plphjqX0
2nkqLto544i3kklotiahC+3qZXR3MR+K+gmxulen8ts1WcSKGhdw/biKECKx
KY9f+pCWQSbG6ZM7oIU0vgNivh5iC9O14PS1fTN/Tt3hIx06wQZBZm4qGWUW
FVAQztIVOyzMjGSgAsn7NoyTsnlT9YSa1qIpvu6pkhp/V+m7LuuutOHQcAhs
wEFHAtxG6sc1q8s52PJ5XNf53B51LXpKjYNwOc8QGDMqCl+66Mzwdg6lb3lp
DVKjjf3t3GPjjsdKiu2rBXtoX62QW4r3xhdNlMhAx65VfQOsdkhC/O5SXUeW
G3rCxiEZTVGg5WIrVFnAkBMBzbEXQmS7ToJ85U97J56Qg0IvjTj+Kcqk7X7t
1UO6iuQvxNj8jfPIrMXe1QzhqvapCMZGVV6FlZxqUcYhJZMXnLus4HLOymHN
eEwmqH6vL6ZTG1scx2WNmjbqKD7xEk5Nu3H1HY1yotDqk2bGFcVRol3lldiM
4qpCR6mETAYwzrwo12oU9Yv//B93cFs16yOXn+17GHyJq//6/Xd99qhztbRN
xr+f+vP7H+prqf14hNr0c9co9/tpH8WZj7/EPnPurn8JWNE1yu9+PmB+c+eO
Nthl79jR5/7UR2lBl39Fav7vG3HmnwtfOk2rI7WqHnZcS2frGt3Vxc0Q6HFA
oMf3JdBltC+80dLpGg26Q9piTouy+FOgf3kEfH5dVoWm8dqdLRO0mKbTMrrB
mid1ji4kHuNP4uhyjd6wDRyqwWIcEzmTnmatb2XiS93DOFak9Gn1C/EZD0yr
YvfIvn3L4sb2PbiPG0b7iuA56G5BlinzGjva/6XZ0f4d7KijQnMblxLkwI08
/QX4FeljoxYDzFVsC+p6BqkSbuNU8/Vi5m3epKyz6oQeKcKQvuuNZyfKL8hv
JpgpE7Ed6nPNkoK/Ynmk+JeyPh2vk9boeg25SQ2WiaWHnaKlhH4BZvP7BAbZ
6DRfJuE6SFWl2F9bRruBTAJ9KUtEDYY8PGuqP+otl66yJKniXcUlQUSdXrkU
79bkkH+QnPLT2M4/Gd/51eSUTjHlX4FQ7f976yj/v5ZTutCFdc5upPnnwpdO
OWV8bzllfHe3WefYPvSO7VPn2A78UZM2J6WEp8XedmI85KaKSM8XrzKWDyqb
4TP6XBbVduit9EY6msrM4E07zehAb/tn76n2W9VkcwqpEX6altalmhrxxo12
c5VzBBVxwtZNlldE1Fts5eouxsCzOGNvTscYPjOl3vappT/QUJrKmYjCth5r
U1oXWUY/7nEc0cc9kPhQAgq8Gm1LkhDVUuq/xDyG7NWFDcyRqUlwnOsDp0D8
bri384xq/LENi7vFubBlecofIWatSBKzOZbqCkvUU4CbxC+ZAXk3JtCNGCf5
S9FNjFa1+9Tsjyn5qDJ5ByXZ+uPZNUACS0ziHjV+MGZnQ5YgauGXVMuvA4xy
VoRU5lb1zSfWNOSi8PBrisMrU7rVHFvxHxih8h9Rb+fjfG87iJaYNKMlblTa
uuOWkve07hWmNLZaFttR0I3o00PbG0i77F1QWFmMuZ6MEHKr1M1uR4A5rzCa
OmlrRaTCqwaxJR8TAATHUtD95ahjrYoRc3JSuETMucBkAhu6G/Q38oVu9lyk
/9MxRvoLIvL6BPFQHnRApSZQhxJPjvjcO3z7zXZbg7FoCdBIqekktYwV6rlM
JW45zMkXqdusGx+iuE8XdZsvlxw4EfamMssPqJmCJOiT5qdFnRILAfRJdQsQ
xjxPN8vHkObSA8attUSdAePJ9aCT2lGDMJyvC2q2vIw1/tha9cKoBKRSiwWP
TVcAocM5bapSuiS8Ci9gJfEuqOxyWKNvhu3iwOH004KzJhA6PALFd644tpHk
bgkHcCUROOpW+I4LzkHMaMNrWB5GnMAlm8bS/ZBoEfGx6zzFqIVyrVWfGodT
+lRh00dUu/9crlMC3QqI2pSQSlssmqoPdOgB/G35tW4Ee25Zul9YGGfl2+NJ
Tjdp1MzdtJObKkCGGboIaMZhelNC0LjtpZmw+ZrvJ+jzFbmXe4WOjAIUletY
OTuqXdROc3Mvz5NMPI9l0m9H+/bWc0vuKEhBwVOvoDWawvmCHBhBBC8+CLcU
nNADG3we4juBibO2cSLTiIdYXjiodGGVvCBKGUJQsf/AIU1f/ZCt87GWqsEC
KYZJ0cUoEqdEkv9gxqmui9oSagvse8UXwZgDbGR1iC1JPAv2FiSO1TcjHYSR
bMjO7gSIafGtLQ5bJlI3MOOBbkR2q75okAeLnJowayfuqeu7hk74Il9SL03s
/Z1WLb2/cWwzpvHnTehAqNOJFJ1gGbiHeQTBQWyjvn52YKqv9cr4ti+FGKRI
XD802kidOrY72IpYSJUBmLDuv5GoBOS/UV1LcRsb1McqmHIyOKc3Z1NpUy4U
qh2FXbRkJYYZ7j1UbzVLJ3tpmmDUqIBpKQukKi0/GI+1tk7n5dPig/7vPYnS
2obzA1BmUyeVlENtzybLMnlJtRVakvABXfvY/V2jtKjpFrG6v67TQqbGwonA
SIjdo5943oIVGjBLRNkIQVkejE839rvDlwfffH38/vXJi+PzkzeSX+8lmf3h
uCbLbLMwhxnJi5TI8ykvkDPbPz1cVinbr0nhuCi1cnSHYsEBlRSM6GJpnhP5
aiNcwk1JfghiRegTG0J0jwFcoBjjO4ajZI7b8GfaNj2b4US3gyofuFGRDIay
hCQ5yhy12m1lOD7zONN1PEhp3jTp5+zMCOncs/nw8KwfHX573meNCn6Hf7fD
pdVe+jkwcGzBVXVoe8Ms3+VrWoWkjHpqotqORnQnx81CDHet5fjg6K5HapQO
J5oMo8PAIzIGAff4bHB4+GYwejJ4sjsYjff7KMgMxntPKCLhHf92fEb/6X6Y
k0YnwXjwfW3A0ZPPGZGOn1mKEyaAIOvR+kKy7GzgfbMkRxSKImr44dIrci6G
sHKjJxQsWQMmze5iqvVLpgS+bo5IsGLkSK3FQm4dpcieCe+jnpOmCMWnh8oV
2f7knntX5KuEYoH4GS4zocokBu6pWKsDIBXSVyjjl4wProe2q5UB/w+0nuWT
s5Ov3xwMTjwt//SJPpL4Lnz8mxx593ffwZWuMBcCHqGPuFkAsnjqquxlbCU2
O4wRfZU6QYBcAO+HjV1TxGHLqm3PT2/e5+di0EFuS5QDqFGVwM9knXgLVT3P
C07gT67aA4sM+SK/vGWYuC33fR4vCtLU3PsG0zdKlK+mKEusq7VUPTDFTNjz
toD9ZZQBQnVGsKjQVPqsrRKMRMMYfnyAkoNrzYTdCnzlNbeK8O1GgRM8hIWt
QXDHiybi+KtbcdbcWX3YZR3XwqkMyCry9MWXWPOzio6cyuKqblGNHo78p7oG
R2evzrYHGEgqAjMcMsgCg4tUdGB2tjkxBq77AJc3wBG5/UZGoY2KxKlt3H69
XqCsxBIyMppumDsaANQEcJQCn9yKZGcUnVQ0UyDCINngYIZ1dGobs17a1wEw
pgsjQJA24d3vm4BHeX8Vg1TlBwCky8IxpRrXZbLJhNsYHnN84+uknMGtXRml
GfYHlFeiuGazAhHOy5gqt9kiBiOFWOayrqnb542NBNROnSjByrCiJ+dofPJW
V9ztZcbnIuARvzDAAsbnZFMHwsd+j32UC0SPI1xzEftk+Ay0MmRERDOKfF2x
bclbKOWG2HTkodLrWjK2djfNGDTUbFOs+RnQ1lt6IEsWXNgDJru8gp3MfMTj
xS2JoHKQwNVpwDIMo4yNWxQYfcLFAVpaQXjTnbur5RS9oI5nVpiYg/WcMkoi
x2u1reRaSmHhGL5URXMWv8gq7xy0tS2Q3cdk46y24G8wX1jZ6R6v78LRoVoQ
S7/YBpMAbOSA9I9I6NJK9UySTCntkKrrlIHeXKev2GJKbBOxSSJeiP7hKqM6
caO/ufSOxGGIBunKDzllju0uDWJtUImyqWJbbaTkGhQYeBJ8SvdAzVv1KFmB
EQaNEKBKR/axqXZHIyQs+wfX/7IADcJ4HKwrD9/GCjU5PLSCe2r0DJd5mQUE
DjEtBvou9EAHQxOxUWYOVMdQzxRMxHtwXjNNfqkvJ+xCjJaCtArcMkEptnu3
hnXEqyNHohG34chWM6j8DkYlQaR5Z1ZnigmrFTNRp8HD4KpJ7+O1ODk+f+Hk
yNIJzi6OBoS865hY0jKHteTke6ILqDRWGaY3fEu0h0QdqWDJyakuTKPWjkAq
OjDLZXMMp1v48tmSBgBf8TdYvQH51AKJ801CJLqm3rN0XCTwDtV3OebgLKdc
dMuMTo7NStcIzJnEcjW6ddX+Lz0CmtdWMXE1Ph16qifVfLb7UnfAThHbZ+83
4DB6UVCdi4rMm4NinWW+0s3mEwAQoP1Pb2FpK8bObrN4KW1mk4/zdFEVNm+U
hFC9vct1Kc5qqUyCVI2SW2OpR+WrAeWLBWIvFzh0VyG22h4gUlmxA4SnQNtW
DoeOvcJJc2AyAQC7KDBsKHHOEdD+AANxjMq+IP3Cy9vlEot8TaNLYNUrPpA5
6Z85FhSISVJqYjdmIl8Lf9I6roYNTHPO3OEiYUV8Y1r0MrUE4jEfiNxjnL/c
wAxLX1JeuLtdp581hPiduHxLPGXll0o52lbBIABhYl+xnpLYgOTPJ/5KBj3b
su8PKOa84Q1BY98AVTdBd70xXmLB6EbpT0JRW+V2K6YHOiUxo9YksXIYuUWo
drTplsJIaHSQij1JVXJR8VDeBjSC6wCHWzUowUxeTWs1kATHfT0g1JMRym5v
Gp7aOkv4XsfgfIFqKzH77zoEtwSpshPXlA7meAb2kjjXTrjaJnx59OqF1EM0
BsUeBeaVVySbEZ2ttskGX9bmy7mgdjCf1mkVc0jtEIJB6yvCA76LkDLAQ0oa
jqJl1zYsmJkMRhzCYoES3FFbFi7MVzG7nkWVsxKSsVUVgXEbi5e+h2/LFstH
jCEh6XJNRTSf7IJOXhlLjIiNwJ0xY/aiwGqeRPQDdTUYA02B7YPM512jUJQ2
kuIPn7UEI/+xc40qabOgTdxE65rtDifRRbpYmEK65GXSkFKkTE/2o9sk9oWl
kBmAGhizUphmgV/9JD8HOj1LQWlNpldkY6JcvgMuvVX4dce6I7RhumtJey0b
JApRQq5OvRxuX6w/8Z0z0KDrC25/2SHeSKlJqU5M0t3+k9EExSOvI3MBhvaV
kiWAynNqiwGsOAZ3F05D5McW6dLXNfP6mKvX6Gowdh6+4hyMg+llmYrG5dqX
gK2KoOGYa17h2AejLMCqxEB4tYkJ7LCW5TaZ7eLMeKhURdA4QLqeogZO6p7G
UI3drWc9pPWS3jRY960Jt96r7dcffWASGIdrkCB/Mq74qAluq8N8WQdoursY
YYBQsSYg+l5JLAL/6yBTJJQY3zhYWSnHu+s8VTOsjyciNOg+gQDyLACHzg89
Im6hx8mTkXgDTwZHwzSp5oMpCGWDvKT/SMnUvjuCdtNvx3lo4N/0Ciu/wrTc
K4ZFjcbu5b6RvF1W6sSn+HhXBFRNZJ1tZuolQGuVO52XtL0WP35jaoJi8e10
Uc/UxBcIExMOKNhUur6jakFHzX2ZPmB6yif/yRrQaHmBZlXWRrOD+pHA+Fcg
Q8ARhztx3eYap3DeODAHf22QkM3uhqFErG4+MbTadNuWOIAkMC/2KFp8O/Lx
omhlpNa728Yyq1XXYcp15qdXoqExXfzdAOeiwp3UwZermqA4g2+s2wrbovx1
CyLwhoYIzuJhCn072U1EHi6AKxZwS2lDO/xnAmnC8JgEQNrlD3epP5gBSFLd
YHZPV9kN4WpKEvuaTqYBewdH3NTQFbm19cntYV+w9mntkgFlTkuvFAXVvLFK
IKrTFIDDiKiZcqXI0jBnSUsRw7GGAqd01UFMuryqxEIixshZPl0vXYCyE0BJ
TDg4MqGGbiYfjQlPgxRGXC++LJLE+CPg2hVYM1ZLfaEZVNEAO8NIAXD809rw
UYGReMRs1t5khqtJkkPllhKGaM9oL4TlerQHWesvEmqHwY7zNVqPrtPkBlCI
m1U4qd8rbGScenV4sv0cY/CEqTbFgqAbZtkQ3mGAwG3VYuUFOZgjbKfGMxio
d1pT3Ft5WCmios/Rt7SMznagIZfs11fkY97Um/YT1tictu+TQ/O7R2rfWFhI
hSbCxSOl8SIwZeE571aov4U6subnx+HWmCPduRxfX9X6Ql3Vu7rR/TRZgdhK
IH9eL/W3uatq30TxuFdwcjwgAw/3nZjz8OSoBlBeCx68uNWq7Go8Ifp4kXA6
A5mbYsyuZRtV6HtKK7RKfTaS1R3YNveFazxlt4oKZBEBGTGufKSBa+8GND4u
FikzebaTOHeAz8Kca3cZCkz4W4JFNr4CWKSj/R9/pCCJAh7Ixjv012FeVTDi
O1zN9Aq7BY/H9MUfYgpaH0/or69ROYNTOFmss8uYHlGqFRTr85WbtJTQhbUA
aKwE19w7DOwBjQAUNhdINw/yclmDN1kMggQgx0NtmKanPvdipOrvCbyjwBlB
tEHdQ7bB9tWtkAL6BQyjl5zO2+Viw/Z+YvPntQiadg3oNXHkgaBw4X1/3v24
DXkUKylxXPK8BZDKsCCyhtk2u6Z5Olg5lxrFIlgHcGwCFRwzZBs2CFcYfeuC
MwFvMQ6v7sJCeDp/JcWnSmCBmGhD6HuKZI3G7F///9p7k+ZIkixN7I5fYYIU
YTgy3T18w1qV1YIEEJmo2NAAIjOLVUWMwd0AWIXDDeXmjqUio6UvFJJC4YW3
EZkRmRGZyxwoc+BlDn2aHP6R+iV8q+pTNXMAEZFZC9norgzA3UzXp0/f+j0S
mThCVmNLKNE2CvPeTs4LUMnSS0SZwdU3rwRmdc0Rw3PtA4GbtjcfXyPeKnXz
K4GRZ2CcCa9XExLnGJEiigDxzWhqNKdKghCKcCaWPQr05xFYuCYJ/XfhuWdw
ZC5ksmFnlEscgIUhlw6esOIbSQ9a1LXEaG3NSw4slaVUS6pnljVV+kqRkUn3
D7vXr2ENaIru25Z/jvzb7nPpFYclgTZ5OZyXZSXQZjH/6DGRBiF38f5WjMuo
ssVMBRm9APtrZIsToZ+YEBxTCWxGYXtB3In6aki0CwyuJBY6P6IXCb55vvus
xd+vMPjvaT7BFDh26FyzDSq9VMOEsyZemXC4zFpQaLGiDsmldXD4rJ3YDlXY
Ls5mKpcI/LDtEU0fnBgyLm4YN9+488U8hS4nI+w6kzGTQszaSYzAaC2M/Tmf
50CTXB8LND1SWC8KWOTEF/tJGvuvdls7O9sr9vb3qF5eRtSDu5BgGBwPLkVM
yHFZB5xTdD7Oz9E+20yku8CLj4zAWxMFgcANwXJjUZ7yySQjW1jSID3aCSoM
LypaB5ufVkgOM2Z25GxSNdPp7sonmpi8mI9SLYGj9YYWc1+Pck/PjMeI2T7E
RJ7rjJfs+97qaneTmvt+MNjQ/B0zokodKHTirw82UMN7RiiNw6ve6tq026Rf
+xsD/JUtCMOr1V532n24VY26l+zBo4PWRqfTWl3b/qBeUnKT0NmfUmgar0UL
+ZQsnbuHgWWOgFVLwgJHjC2sM2ohvs80UrhqNDAIXwWhcG8TFYVT7PqsAq6F
ZH3DLngdh4w9uZRHW3uz9MFQyDuLOTor0F4yRnIIWQSGfmGGlIgjkbNHBT/U
H1nInVNYLt+Akh8ptksx9BKwpQO2EGMwOTp1zI+6Vih8B87dDFUYd0TCh1Ai
uEIp45KZIzAUVJLnU59kTl4j1Ko4RA4GJ3evVEqYwxiGecau+DNxxLvYYHQy
8zLp/ehHguKmInrMOWkGqX83O09Pp3k2zrpdB2t5fIHS/RSulF7XZRhKpPKd
DnSB65hixXOVmV0CoN48TnKXu4vgQC+y8Shm/p4Uw8x9jZJ0LboIExKxjP2R
HyDPL3H+FDEuRaoASgBdhSJ0kY0TwRxP52TLFrs0knDj+PWzNyv0K6biuBTM
WXE21yvdQB2y+SMOcqq9geXSAh6CqRmFTovtKgHEqsb9MJWyjwqoqCVbTIyR
4yorQUdE94gCRHuAYoFJe6vx0FNELArv9aiEssRmYdNJaINH9EhJBatZ4goS
8L0vMM6y70sCOHX/o0A3g2Es9EnIVOiW9P2ZxafSJMMZOVk5jiB9S3eqt2AE
oAdSq45lW3OJjepqNKdlQJ6kGwiqYoIUZZ1/h3s7r1++3Hu1u4cpLa/2gZcf
HSRyXUR3B7Kj03wkbnwyJrC1RDLuWvKn0TOcEY9YG0hNLhdXDYmU/TzMy0Cv
ZvUP0/+Q4z6fpjfDP929heGg4HWVXmG5VglZpGEUYje9JLcV0tVQMmklogd3
eP/bsqlmFkXZ1FRCYHhjzGYhtrS3fdA6Pn5xJC6F7VcIvp30vz44SLafb5sq
aUe8jq39kXvtxVHSbfetiqGlIZ7v/ebo+HBv+yWb1ik8s37RnLDIaCiMyQVX
zkxTToPo4+MLAeDCPGHgzHYPu50Nv4fwB64a4q6IEaq6npRNKMyTw42Eo8Nz
Kndca3FEDbvB2HLvVlNPT+wOoYAypPVRxkGmFU/7RKuHBy2ms7gpMawY7HHW
pENTy7a/4imHh6MtlpZIV+PzpFdt4K+k3EiuUMd1HW7iMFMmmCLnbEQ8cZwI
5VQ3WgZnLojylbQCFvBPjMWkFNeyULZhrli3NmyMkAIVEkRXU9bXJIw0q57+
oLafSWCoeKJi7LkqHDjfM9lEQj5cpEk4YLm3gXtfUXE0nzrmsqguTI1KVyhE
pU6QT9H360KL8c3wHdL8WxxqL2lrT9cGSUN+x7o5E/FIFeKVL1cMUEBQexkX
VCDGpZKNL+cXgMUIW7bpR4pjM1ydOfmaVyKqeoz5MjhkvchBal3rbg6ojpVz
28cKGQskNxfF+L4coZgso+WFaZlReqFGorNDhSySSKOmUhctEJZFQH7ONydQ
Knp1Zf3pFvehkM342gGCo/zkpk+FqKWQvPSpjDxCs+nR/KpdaKM+b7FKchtw
2ygzIQ9Eeq7PBqQblVettCO0Zm8B0bjedh1oieprSni0dJxFz/cp0x4ZdmxD
iMxHyb7mHHBaLUjMJMfiqxaORXaLXtrffrUt/G16x4z0oChnrX+cp5MZnOGK
gfrqj0MC2HZeBp8A6DP9rHXc1bacDGE1prypmFyuBtjkj9KXuN6njJDv+R6y
CtLIKZkHrZu3V+MCWjWhr0bzumPU8OwW5oRuUl8cnWMxMhW6eWaUn09CR0p5
YRPxAWl8JHM3SQ0S0SFcItt14+Afd1Z0hWHhW7OiaKFNhgyr1GQ7eemvtvIO
LpZLlzw1YxjTkvOWbtJ81oKZt5A7AGOeFii6cXA29EPmkYtULhl3WHQ5ZxdU
6FJRJvNLFEcxt3ZHkEawCUM0pM9QPLVs9tCk3OypdWMHrRvRnPd2dlbcIWHf
O+xZGbgW0TdMiiuacwnQJIrVk5UAGjxykclmdHqXyiUmUSLK2rHzSvKy5AiS
+CcA4mzXExsmUSCjYsUkiOGONwUSIopPT8roLmNLkrzUAhlcNthYRAKCxIE4
nxCOk0bnr6l28o/xGbCFPSRzeIIW1yabDCVF7SJLr+8cZBfpEO5u/xotFdM/
//O/NTlLzYqtk4UPxBW6TMdNTdLh6HtKEqb9S6coD49ROmnXNszj9e6B2Wyc
ceEehCeDuYmKz3IqMmtYhqbbN1yPG4bIQaFGd4rL1vLBZJ0Mb0ncEqBdMgUo
OWiZonFg7/Dk44qB3hHfa5pcWzwGte8okX1zdNR68fKobdxRrjglJ8W48mkB
8+a0CrGdmHa1FBQZQMhaKLlKeCwwHGEPrsmrci5itRQvazzfe7kSjxs+K5sa
4ea8JQKyYgPHgrGYZ5Lclm3nmGbQNh17j8xMPuCl0mg6Qr5UcuIkjItdQGfp
MNtCUEtJo5qYS4MjGyI1HBEwf6M5V5ldCKHqk+/d11GA+BuJ6ZZ1YTAecgSa
ZIQ4XVzQB7mAjtjX08i/S27dKOEG9QCDKYBglT58aBd5II72ADWK4R3cmzak
Ki5wX5WpSTmiPBQMWZNwHtPBSDuAIaT0h+B9oTpGPqE7m2hrC7ZSoA8nA5rg
Uh/Z5WOnWLOcT0KXqyQkBCZNuuONCZOC0ZoOPfOQwUwl7DZENcRtC6RLhj0l
HiAetjBLguxmpXNA+QRoSW4iNjhW9CevdtXVBlIZJEtHJ67IqV8K0FVQRHAB
B+I0g4fH6WnGefgy3FJWXrxlkXfMi5DVl3vxy7EbDY1wgspphbEAO++hwkJo
sHXI2ePApSkKTCU07WHFj4iUKKlCqSHJCIGKiiEV14lGUenFaCzJIauQFYmT
MWHVURGB1zgLHONts7pO8LIov6FASQtB9tP6tFeNGWRR1Ykb4v16KGQ/oD6O
sy8V8NNQ4lU6u6BEXqwb6T4l1EVedJ90J6MVy6m3gkoiP03pDOUBb3RnaL0p
RiiZmCMgopoRqxl3wWqQtY5XQEKG9YJ3IQ/sseCUTlIBF6cTo5un/n0CGnTn
vczRLZNOMgZLk+NQ33A7OVLFebPT6bBNkhL3J60AZFFQh+mIEAa59k8VrOuG
jJcqm7dPM3WeslEOB3VZOPBxzguc0HnqtlBjXDjYSlek1fMVYZYk1WxbaBNP
h4r2eDVJJiCXAwtIV6SV/QOH+cBJA+7PekwEvLokbGmf6uvChI5ZdXhZjLJx
VQXM5bEWaxhwnfnaCZE6SDvTX1VH3DQzHpeJ8/+ODDCKg2SsjztQelaHzjTI
lmvCicGAGqAcKg96g9vGgkhWzkpGqb3Tu5JMnz6Pyz9GeZ64ppyPAIr026KV
TocXrWjqrUtcoRaiXaING+027MFd6w1gxopxQp4JjQ0TtYzeJGp1qx559NUo
5PCGqPUPHBDonFMxcXsEBDuEKtQSW3yIpIxSOqPMavum6MoIBT2XAvBOp9ac
4JkLhyJbMSLh4QZPRQc4vYviHKs3AF3RXibxIpCo6VGcpDsFLHpoFDb5G31Q
thWYhZXSgHjJ1Zfca6/7pJQPIQKW76QvByFeJw9RQHpTh3cyYCWc4HTQtq+A
WhwV4dn/NDtPpw4oSExSeFmQ3yj2CGxXo3UuEYzRcTf1I7jLCDEZzFHjS8Iy
G1gWC9SD/ZPvKvb1+SHjyCgksIIxh+Pmwn5enpG1o9VgVqd2N9avrtCRg2nc
Vcg6MzXloWETdh4EeMRwehguzA90odkx5RWwBtzU7oJoMMEtkK8oLQ/08Vwc
GVSj3dkKdUBBUvfpnS9F/kQgz5/gBJ8MV4dPmDPvZhNgBq3irHWEAs0Q6zKP
itJBj3F0bl0CBVWSuwTuyvl0wj5Hrr1S2nOxedG5MzFZcJ3OqR4n1koHtadQ
YBKT79MNPKC4TgxAHkqMSJkgvnON9hmF2igWQRg6gb59ZkdM/CmBat9Z8BRD
bHzoeSLNGgoT4YWkVA0FcQDv5joMxIJnhQcKFlO0R3JGayADgfy3/5BKHpzo
wTGaNysNDD6NRWDYP6xrsweShaA6V+KANrvrq8DB2WIjOA6ureFY4y5G2SVL
OjP0xqVDF/eVsnsaRNWUzqnKwh67SZGe04nFOqBcDZDSryIHOY7bcHPeE58b
OsRnMOBWD4uShnpsmI2IbhidnrapmnrjrBZ2dXS3SzZ5O5zu7PYCKE28Clfk
HynOloDiijPi6PksOB6BNJESxipc0ZTxtehwAOGMKNQHVnfcDPSoQPbgLSHc
b8LfQ85B9lQ6RMFqEWfiteQ9BYqFBVTzHMNFa5SNQc04zfhYUTATmy792ZT+
sTQ9RSxpDqfia2xHMQpcRgpD2M7St+Ys9wzynf91QBKV1gKQ455dXjGA9TSn
jAhbKEFyHaULVwzLxYbjhwsqe9ai8zKcJ0brz8nxdmZhwA0AtxhzkBvb/IBz
tv5ZNkXX6vmErOPsq8LYEsf24hGjZnEqwGnVMRO/DmWpGtEZvifFRGxAwoZy
DYh3/nUJV5bNlfAODlLBOBIOnNNAbes1p0FRdMuk4FvonqYcF2ziWvJzJUre
6sJy0ZcCMOURr+T0ibDo8joDNm6N7ldlNh8VC8ZC7k6KS6l77JIDoYzZoiCe
XGX0zp+O4cYpKGX5H+l+RY+zyIv3jkNyg6cZYqAQvXuwG5cfK1jcE1Qyrwu0
TRLi42UxvSMtG8nnNvmq3W13HSvnzH2jEAi2PsVYFOO5xgCSh0dMcjdT5hyE
0FbtaZ+KxORSDQDlokkefHSDsmAULHLv7H2q9Cmv8lQ9bSImO+UK1LzpFahW
peg7G5v99VDfwfAuDlc00KJsJYlPNQoF83OFc82nSYNHubJwmBr95IOjbJAk
w10EcOTGvq/h2wp7f0l+kLISpHQ6Ld6yo9LDWJbz0+uMrGuLhmaS+OHYpIGi
YbBjJFEgsfHkBmGuguGkIeccgePcYybciiLRWZz9BnV+ePI5/AtkEju/FfFv
RvGFLiRWznOYFiLJHXR1ztmuRxsVr4BLU7nJp1r3p9bJN8rwXtV4JusWnDnM
YGcIYl6Ce3tJdmxY3b1bDm93DcXAuqYZKdnILnT0nI/gF+KM/JFFZ2smyyHB
0CPLhN3kvCN6mNc21zeB2k3Ycjs5mAuUoW9CA8Jb5OKx6Ba60TVdsiqII+Xb
65zX7qrA+tvM41GE9Hj4+loph8edNzFy+CD11OzxRX5+0cJgT3zSb3gbZHUK
GsN0QdR1yVxzwTGacJznmj8Zn2EHvVbrSBNBJkCBJV2IXH1wUFoKsUkHIuVy
HX/QlFnBcRCXJ0/TL90l2wBZwXJh4AZNYopoEmfTc6xQgOhaZQtPYmvCuMli
MFQDukh8FAPHIebl/Byk+CjMvEfc3USa98nAlXsWyjI2yxwgJZ5yvbDobNlZ
gHymd8duhIUxvsnPmYpaoHhxKicvfMB0MbPhJdxX5yAfYzw3eRYdsUW5CPRL
Y3aDgW2jFSA5TAMv9aW0jF/fG/n390bYgMz0Eq6tKEu7vIBD1fouQxUbTn9J
99klrXR0YaMtGu41/FotesNhNubErTCjQmDKvGZIPqLannAtyRvtLgUMlXZs
0+cC739berR38SK+nozvIrWVQ8TCSm2VWOrFgGTUVaHNWhiOBc26R+5ttmq5
E3vdIiMA8sbgsMnB0i2e5ZdBtt4+vz0ia5DDxSCbhX+pWqGz9NH9YV6cTw3J
OFKfpS1C78pomjHiQfthT2k6dQVMCQUKiczDgahd91xQy0ecqaJwc8Yc006+
jRBx3JPIvtQ1HGSTHII+2DrOMQBrXADXaBwe7yiOj8VYpasW5ruzbVGSMUEG
h3qnmARjHqGNLpxm14WMyKIZaF0C6srH+JmnPRQEakTZmZN/Aw9fXPpFC3xU
auLBedkxwzr0Hb3IS8IvAza42ttADwy0+Xrn6EDvyjX8zBjOMMBH8OmjaMi0
jKMrBfnQo/rvfHf8dGfniCfuDZSfQgTSpMtklYpZfi3FJ2fcZ07N8FH+VFNF
RKoJ7MhUB8UVn7h1PuqUatdSYw+904ILBu7FvLy4FCP3kLHpF0FCPoVR40LD
wHFkvnigBvSSpC3BPHgdOa8rJmQgePWd9V4FA0cWmGn0vIrxXI7XPqdlj0YC
wN4gs+BloXh+KySEkxklJ2MnIn1gAaPp5Q0VvbmisG/rweuveQ+eFJSR7FW5
K7T/kU04i3DfRDIEMvs1PkwicUxWTfVVzshgIj6nBSVTnrwd3syeUK/w67B8
Ehrq4MsWv9Sil5DaseOgGFeK8Y/KBkgfBVk2dGWR8jZijwkFFvFxhdenfDzU
CpUqySbFqUZ/s3Z+5+UwTdNRP5rmNgYTZwbAk1LTkwNLdlgvpBIEYKVNE+jn
0EZJx6kANOOgbID5NIS34QhzWVZrXadAqiiMwBqFUdwTcrApUk3vzrORjMRW
4fClZB3jmhZh8tQjbxqTtMUcfrHTG4v4choC+nts2Y2mM9wEoGCFxpvTN5Pz
wkccaYJOkKdL2QEfiyEYXx31U1DEeRe+LjAMBiVxrpQrq5KLpZ5tgcB10GDn
Ko1TYpiNhqdEZDrBKCKbGHrW8Um+C33okrd1gymaC4YdFEISKFcfQZr69XFW
w5lGH2qpwDpTJvNSEpFcrTeaYKZ2OzupBp8naneBnXOFXSnShp/VorY4auuU
Ih0rjWmmos7JM38FZ8N0aFy9G9QMMaQythhxUhgyiZsiCMOoRaole524X33N
OgmJvBF8ZhXlvKEhykKhV1CVXoR37g90dpsPQ9MiYr4ghNvXJ9/bsC6RZEoJ
lV4QSMZ1LU1UjnB8vBTLpMEctGlvBeQ7s2F7xRVtqwDca/4E71fQJFOCgQI7
RZmR09UuPfh4MAresABDnjgvXXEaWB/YdkiF0rwDjvaosZGxcELmTDkSx3I3
7d0C7dF52vN1SZPG8d4e80tTFk4v7c11dH46aCUfdmhUNZdBUpr+PW5RTnIg
jRd6aifkmWK8RqYttFdkxrixaObeiWU6r6oqMbIJhg2zguPtGaHuonWmC0Ku
lc06OHzOsxFVmCT6eC7HVmOAT5I0xxAfqiVwLZhMVBsZ6ZE4DwYmmsVnOWuW
IjCZmBF9cQlpgO5iJSyaL1elLhgNJyVjbtAE2yVGmQtyjPvFanz+SFmEiwuy
UVKYG0eIM7z5ZXrLAMOc4eUTZXqrq0Ar7/78v//P70E4wiyeEw1suNGYIP1I
Q3ttmhiCn1Aezn35YgouW1fCQWy9LICKizGbuOQBg0caNto0ZSh7hqHaYocb
3bUOD88XUkW7JlwRd4LZ7iURtqIXpbkzLcCH5MAG5UTVmmkPHiWmVwqMU7wX
+wTvrUsy86UpT4Fxid0Hcz1mpDxJaHhk96SGW66MyUmPZCaGdyARRMrphiWp
LM554/gbdC3Cf/v034HBhA9c88AQW1KLVisdYFt+fVMqkHw+UfkFNs4+KGoj
I7CE5ZqLUFdwtqe25IEC+xXfgvMsRmhDFZ8k2jTuqdVhr+QAo3x856+2nd3d
FyIU+iLkC2z3D/RVP26X4D/BM68ZfaH9Geu4cwlOSgqr+i7TCYeuY+KdCF3n
VDOh7nlgFE3FzPAeFMLroKJsbPKTtGOUS7u9NSKpz7SeuyKqJy8wXhoEcU5S
g5Fk8k2LIqmxJigOQCqasq0WRQ8pw0uaq6a4CRgOhxiaj9m4uLy3qIzGazSA
kyjQoNGtLLO5goLRtxBmRhp6Bdf3Vu0M8CFBxtlKfvvbmQXc/P3vl5b+yf8k
aVpeny8tfdGyP+FflZ+6r79Y+kGWj39+QNhQOp64e5WfHxI3RP/Z0hdf2p/w
r8pP3dc4ik7Qza4khYtm8jLF9GqkKvRn/VBdHRzFT7EW3ceMIgUVIPk5R9Fr
9Xp+FG8mrl5a3Y7UfPYTjaIfbjxFJ9WN4eddi0Gr31tfW//rrgUOYaO1trra
X4VuDkRSxoSiv9woLANYereVfHaWn7dCVpfM8tk4+3JZM9KFvdB37WVghJ/M
RMyaHFI4m6cPYnAsSBygYWtEToVoGT6EVQTcARi2EOQPyRGonSMSS7aH9Yzq
g5fczKs3wM6Y6H5AHg2CFFq0c7gP6n8+tq9gR/3FFiJVmHuNk3Vaein97V5s
wQweutfI0FSM55fOT+xHh3Lat+hQaibb02nK1nlzRamG8K0mZ1HWwCw7z7yF
TnOjuAdCcEGbCcb1Tc4lIkPhbmKTrx3IVrBf9meJut9KWr3BEg1zK3n1dHvJ
jHPL8oz712NRHw933v9rdt77a3be/et13tGuu51m0upyHe4B/Ar/yEfhiB4o
4c1u+CbHeDSXmMEsfufnmZRbz75OCv/3yFnVFxL/m5hXr26zuvDr+sdtVlAd
/a80p37tXj1yUo8o+v5XmpbjpL1BlQTls3BaOxcp/H+v8/SgGN91+53Vx1Dg
4pd+nmmt1k5LduujplW3WX/pWa25cxXt1XpTPoooEOjn652XizYooLvo0Z+J
MfSXVMH5mTpw9NyH9Rj0ecY9+L0Pm8OfRWsEk3UT728MdLfp170j/EeXKHry
Z5pBSLqDVR7QqjmRg9XHkO7zPb/jBHr7iANJ73zkvB6j9XyQgmAVn4/WfT5I
/SHNcw1lezgCpAEF+BOHWub3Xq3kg+bY6lmVq07nYvypQDv6pB5Z7WIVO/kL
zDGkEad8CZrKMQKwGNWLjd4txGUp/3b1LjP4n0jr8gEP22GA4fNMwN98AMTi
J2Qgj9HWCBtpga6msawatFVT21XiNB6jz2HwwM2EvRdoSgm2+H1bFxOOABrZ
5XZo/ys3+Yg5tvhw//+Fm3gXBeWH7VAwhfVP4Mct9LSgLedvl52Y4X8qO9k7
PDzZeb2716Tf9l89e01cqhkac2q5hb4aMgzTEHn8yEXmgiap6chWxM8ZfvJ4
00/MKvwGEqfYE3y1UVblFv+fYxYfYxD9oDk+zCx+6h4rzOJnnuMC0cMVK9wO
vPIEFma4B/pZW1k6+hvmG4sn8ql8BLtpssvyMbyDfZt08BHyZ5Kdp4J49jPY
iPOywifSETtmSimTya6YD+YSX0T/VmlqAWXjcukx4rVY6OF92Lf7RfRvlV8s
4CEHkvHPzrEOd6ZQSR6ankdR50n8IRin/osBCRRaI/vkvtDog357o92tOawf
uZz22Dr/m9th53vTXS7J4/Yg//+7dLg9Qlz7OPb7cYLaRzvciLN9wyH9Bz6k
33DbSvj+Aq6rGPAMT0P8kYsaYvSuw9Zaru9wuY5PxzyayP01Fyo90tKumEnl
ay41sHlg0YI9gwRqxw5caGWLeBkDywgDkwSGOLNB5Coc8HfZaXJM+c6Nne+O
VyQip7/Zw6oiykPjNjFkf0Gb3x0nO2OKczzKZtDmztGKC7fPppfILHGUmsdA
+RLIdlOKRcUhnSAOKv31ZDg5e5IMsTkZ1/pgXVtgTdNt55nWl8tnGWU+IT6F
5N9d5rNZZsrIckI8nOPippZBfxGSXkyCjyJJx6I9d+YRk/kheTAeJzrlixj0
o449jgUJAfo8/mq3SwwWF/ql4NTA39vMcmNqkJ0hDux4tWfT0WDv3UDcieRR
rQg8vAKE0euIoAeklZe6Lg+2YjJ1gHISJOl2PO2HW8nLuCGsLdWu5VifTC94
sHiPetj3ZXoVjGW79nT9be0RHOlP3aPooZ9odetu+ICB6iVfmwpmr324W5D/
fIepfM+pLMubw317r1CSHxVsWXSjgNDEOR/uSWpjORtdFMNlzddcDrswVwlw
rRa9QVj5t1sJvYgf7jASFdLEFG6qbLqV7O8dP8OvwttXhbBGCffG7377u1A0
+93vf/d7fOeQAE0DBLqt5FUxyWgZXmKCMDG0MjSowsdkbHto/vQkqfRlsmzC
oZ/SfL4YnoIqXmZ/XCbCDB4Y5qNW/JAumxlWsGSfwZAXd2JmEwhguAz04YTU
INMALer8dOa/DFvkBRQhx2cVcigDfPf6ShIWar7bw2hdwWc1sbVbUs6Suq6v
LLJFWZUqJ6+7ygy6tUQ7lN9NeRICQBS3IcM4mFNqajYKYbEXUEzSCD5awRa2
bRVLrU3PI/K7v4VZH6e+oko2wlefTVPGhjH5XQvGue2zPyypLi0lyefJy/Q8
HwpcCZE7vYTfPENUHYyYn2Acdfjdy3SIIJflRXJGmGS4y2gH8k/B8lC9+OR/
SBC6fuzQVrnExCwdcuy+4nAGhwg3aZmVaBCmtgUzAgi2lMKbuk0TDtqGC2sr
wWjw16+YrlAxEvQYxCnnB3Q5qN1HdiIsYydgGUdfV89L9cz9FGem2uq/npt/
PTd/3+eGcRp32JrUekajD1VP+Yon9te5JuvG+Dht1aTRHO4dHSNOtUkZLEEu
LQ73VqwSfJ+adY/UVvl1kTHM8KG6nx88X/gh2d9NHpfuUKdJVX5dZBi7R9Dg
EbX84EDgX11oHnuAA8cNrT0qYv8TFrtOkGYybmFBSJWiq8QFC1+K/HyoCJ60
Y43p7MuV5EU+eZscY6rZLNmeCTIn68zB0Zk+eFwcPijxnuVhMc3akWT9oQP4
Gc8FbJ+E4diR0udBxA3b33Vu/KIxuC8Q4ckFERjz9icM3IAcUJAPcDFlham+
qSKSKJCoaTWoL50COwoaX24myXK9lW8ZUxSXH2FtXJZkvzLIM6NEabYnjxPE
287GMARBS1To6IzasUA746KgPOszrC7DVUYzqcmUcRoco5bxZPR9hiFBfHoE
3yn4Jd8ojmhCAAxY+Qn9BpgOO5uPcFdkLlOaS4ykTqjpYSmP0KbIqCBw/36O
er4DrZH6ToqSPzWiFiHj8bBxWhYNb3iRCTLrUAHkzhS+UdE7vadDD5KYNbVZ
j3hjK31kigWFSZth8Tmc6MTb2hj3QY+KK+zH1ckEWmnk5yCr5Su08bgElLW4
yieKB0PepJplyUKpkUeiYDykDCcIhYwt0rnFmcrlIIKWwOddZtlM8tYLMs1S
YvuZW0zeGMY4oCHI2CVT2I+mDbsZzc9Tg2LoK/3S5nFZbOhLwNBp0Qgj9Nrl
jDPoPedMkXxKVomwRqHmfLL91lPwTYZJ9SMHhozwcQLaqC2XruSqNIl7i2hS
jACjRTwV5ifCOLBFRg1KsWmdgak48VwT1hlEAFqmFbtm8N6YxYQStWItuRKH
WPkKT2f1IQOSPnJHnKhLoxECPinZ6H6BYeRwEd8JAo6x3bpG3VEhtCdTx9Ci
4SMij9blzoIlSU+La2LsrRalZ1NC7hstKSaZiriqx4JBzoCQdNW++0yByTVP
N1VIwRAlkKCrplQRYKJtVkBHQshzLReE8Vv8hmBacXPacZh2XPrBBUAINFrE
CeOumf9rT4Vodsyr87PkrpgL4gbSffgubcTEgUlOeIWvM+UqfOei+HQniJsE
/qP+GkbQkeJDgrgvtazxaxmfUxZ3ZGnefVaUeE+3hrPblseu01XXW0tT6N2i
4/SlohDjG/iNMN3FO4FwhoSUV84JJhBFCoGWwoEq6LMF7d5hdHgqMcig89JN
ZSqWSfod8TEA7GvyHteeQ70UJCG6p3BvwyReqvhjEmoZ7PDU14M+vTN1ZWkC
Jy5f2pWOU6+Rpjq+f7+FccSfmwKuYZJ1KTUDq5tYHV7NlzDSpisCPqcD2aFn
uyGEU9uPYhgvJNLwxZMnSaNzO+isSM0w8kPFDm1p5Ssq/oqop82E6eoETlkE
iGHKSjcUEGNFWbwFf6JitNuPwsVwOFQR+vo24gydVkdVwvLosBAEhG+UjbpK
YT5qlLB9zqcZYXoguP5pqni0gqNRnTMhazCHlRHIO4QHha9MlywIh3m0Zqzt
xbHvsP4hXXwZkWIj6TRxN+t2ZsW+zknj1de74et2CVcWx7QzaUVb6Y5Q7ZY/
DgplwZZrjwjzsqhHBLdxRUzjIXwAGssiqgvBKM8sPMsn9NbkOdVgvURzlRth
Act3KzSVavflRX4FKzO7wfICtqRMPrG3tLvVIjiVYd5iilBPtuuXDs3+rpwi
mApxcvjAcFBBnXSAUNzLgtprOyeHgkO3X7/0hHIdBTah/ikjBI2+hSC/Uqfj
UTacGqtBve3hi6VqPv0P1cVwHwUrUmerqTHF1Bt0sGdeBs+53FhwzWJ/Ja5f
xSH5sXPmnj2X/KHai+358KfquTbGqX6z1YrzRvWQBfTlCL69DFcnlZhpUWm1
L5cRSzybor2nKpAwOWsdHCOGkARMZb7VBGGk1PhcNqmUPPNvlVAMMjfLKIhI
L6rohLSS6mgCFD7py8EEcsUHL61YIpSr6cqB6LEv3MNnWrHfIS1DI6ut2RxY
HUudKsxPPeajFeuHRXp1v3ApHIBxyEx5omRBdSIuU9ejwny+qBJ9JZqMYHxx
ITI/HVLPhlQKmMMbpdAlXMkodWHFHdeAVKYkTR4x1HOGX0JLuQLiItZu6QGS
5gacmMscaZ0arRN1Jn4NXlAqgatloFQJuKfIFekgeODGd06X8HPzurFiRboF
wBpvBJHsa2SxghSOR66XJlkisbSSVv4q89lc1FDSdnA3OH5MQWCx2LtYqQy0
oitxTSDUcwOH6LmWFDpgY5YtDlVMbd0pUIrx7pgUggJL2HtTvUKW4U+EAnN7
gZvnI834Sw/0l6G5a2ZeRyy6aZnVvy5fEu6olXZvSLWeX7oBVUbgDHYJEE1W
aikvX5LT1IgkLwmCq5nKx1Jl09RSJPZBPCHZHgLLG0mNFbJwBhaDZm3BLySC
g9dHx2o3cKjtb6Z56yCdXWwly0/bPqjjqVidZSlMXMj7FT4FvXZnkDTYkzRa
USDrjAr/BmIP0gCbXamwF97YWEvWn0kUDnLg49docVLSmztEMzF3j3I0mBVo
SJcyY4i85Zii9TnaUmX3W9S1X4JCRXJ7UkbWai0DxnYWVxfK2V8Y4Y7gJ4MC
S77muBDTDEeLS+OL9Hn7g8iCdbRUI4a5Egt098kVSJMiCtmfMFszlZbotggK
/aauE4e9xnjMpkabfwZBG3MpJ8RWIW6YSl8HUpm7AJrenEKvyJGT1p1YCC1f
scPT48qhwgljxoKif3LA9mxyqgPOZdhSM1HU8lSs1vUH0VVXKFEjE9VnPi2w
2yJYf+UWdeyBK9DlkxGDGHJCQwRqN7mHM/jagw+vAcH2icL6b7As1r9B/fxs
FRjSnoDXEqukCh5wDaOWw9Rccwd6wUDu8+OdA9bzpX8xywTleR3hEfmbEWOt
1CEb1xh8m80fNsAA1ojnNSE4brzwdbRuVK5agl+DoALz1FuCYVVpVXhz5iWj
zKM3hYvVtUXTsaVG4vmoQVEO0mk5m1JxEpAn3Ny4NM6xeluU3uF08DxIrRvC
xTgOLVhsZ8yupIw1POkOAFeeizCEg/oaeEFr46fF6M44VvCjEN3aYY07ViNW
tZpK5AuLWzvg1iy2fqrFmav7eX2tdovoRppEK4EH0Hv+73EoC19lcS9sw/dG
6PH1R/+ejqoOZ8cKwggGQlEvPkAgq9bGRGsRX4Cuwi+Du9srV4vNDdqdbtJ4
M1GUU7w9TSAsLoQpIGlqagrjMjU1vTT1SRU19888j4oFQy5j0ayjE0G+11cc
QKdbna8QK7r1HUJoOru/L/HBwvzm6ibtgIDD2dKFvg7AaWY5Bou4LG6E1xSJ
FGdsKxfJhVokEa62B9ss7Q8NnAp0C0PV8hTp3bhIkVt5eGEKyPcVB5zqg/IH
axmEOXwK7Ptqii6vMy3MJtdgS+jHVbZ3Zmm5JuUQlPfcfs5+dHpn70CsbMGQ
/aai6X03ywoXQ7pz5Gpg5lHmKdsyNOnAwcJKoUxBcJaLETtHgFuVCmlJ4bQN
LzQxhTsJpIJ4OcTHLfGv2PczuVIlDj55hgLSu89U0CfZZ6Eg5ehSFjePD5Fe
+/Zoy0PO5qGHEBsUEb60go3K7r5aK3tfFW+9dL1oB/ELcdlrYrH3zMuwI85/
0GIYKuwZt7Ofa4PHu0LFlbzH03NdNN/c05I3AjV4ItwSWRxDx06XJFgjNcpR
YtTkgEM617uXQf1KPSm9MO8uv2ad8GRORyA1KXFKeehYbqsZey8JTI9hZVWd
lhu1l7MtQVQmLWoJHYymERYvCY1fnaaOw3EGd6BtubdEna15oVoDMDCYIbNq
kYHmfc20+x807Yc266Ftr93DRdVJDmm4+7H3cOCNGFzpV4tCxfVwtf7AT7Bz
1VXHw52Oi3PWlDDwROmIJLNFY3Knw95qpoKxGXHU/uOb6XEpZQVjp01wFcsW
6XD3aTI1icVIT93Y2v5PVcu76Ozww3bMpSDB5gf40xuCf/WDJCZuMc00EPjh
y06701uR1+hjguG915QRdRJF+G09IDvGbx8wUWxRseJmzPGqE/rhl96c7SZE
h1rOtLxCHz00vEcOLWJlf8+rTNWIIh71t7jIg3hQi3yl6sWgI+OStP3hXHTq
MI0L3l3osThedFpdvIVY3Lh0kXJc76pwNnfKsJsVM6mDdAMyG1ZSbc2m+VWp
qtQDligntx2KISWS29TC6uS2OoPLIrnN1LhaLLc5gWeh3LZIDFsoty0S9O6T
2+rm9SFym5G2Hpbb9h8pAVbktuPCFdyrEY+advYYUck+GooRCaS4h6W2e6XE
T7mUHxadPlnI+4tKO/ufLJz9HcukP7WQ9xfeuZ9H4vuglj5J6KvlxfVCX+/v
ROj7m5ARaqTDvydBbD8WxGoEy7/+Ilekw8cIYr0FgljdSXhIECPRhyDYTDEp
Gx2xgPVJSSe2pEZvNettmMwmSm7YW9x8ifBajs+NuMfVzzmjyob4KrNqqtyK
DYfPE0OvuBsWFLgjw2DUHweah/eDhAQM2p1O0vgqHVEGDjDeFcvrhYtzc1Iq
dDRXQ3A6luJ8ATms0IWxSu1SHixmjUoMDe1R0INcmXU9oG0Z00jIPSDRutzT
24xiM4B6yXEppUqjNDLNbQiX0m8Ue13v8ZYsdGBgvP1OQQ4bWLXABYaBOJdw
ccWhOOyTRwM1t8P1hqWNyI0WRFDuSYX71g5WuG8dYCRIa1a0Xg9n2ax1xKhX
MHM8NL4juvE13qnX7rf7HO90tLfzNU1hO3LP6bMDE7291tnEYss4ils4LxQH
gf4OuWJlYMlwTiE+rvYvA/xgZCV5Ku3krn1kJ97eU81OwTAZPPZJOUwxbAbL
iuY+qMFEZKYYY9qiktPzCefYUi1qvXXhUSorTyKDri9H0mtYgXMDxpNiCcPW
sLc9kxhjCz6y818Mowu20voPadYOZM/USk4aX598T8rF1ye/WfF0V1IoMbqi
3jhXz6TQMoEoaOmGsrYgCQOMkVkgfSgqGkxOAoqHWT5uJA0QcnrJH1eSp8lG
sqILQ9/drqg250qnKlIe+h+oWBsFVN9qWW4egmTKEPnl6g2GQ/SymXzfTG6v
WHv6p7srPqvlLLsq7yVSSdi5GqdD8rdQsnm3LbQ+E79fNh4BJVIOB3QiMlsw
9+8fmD0/beqPopSppwm08BnG0gSStB3yanSu8JpNXvNGvEy+TL5nK0GmacVa
w5WTsij0D9frztVR1jqE0NZOPU35EoFsO1A3kktlgWd87XNHTggQVnhiWkCw
FM2BOZQuw+QUjuZZPuNQo7C0oR+K+g41lVD8dTxNmVr9vBvehwB/yVYCQz/K
L3NgBVgKO5XChNeZBMJgXUdZyDt7hhHNi+MXFh7IGd4jFIRJsXelKSS5DDPF
lonsxZ27rG5oOSJBLV9a/tINSVfa0QKbhzSyQBy47OKl02IK1OtlMMvFjUz8
a/tgP0w11EqfCyaHaS3hg3RI5uNxcExR6BOVjzWUKVegj9dSsy4lgQrbYq4I
p1jvzz9l00KtXC6WY9H4/I3DAbxDwvKVEBmWCFxoqlb9FQUSRy/UY0Ysd+np
nY2qyWdeYZSC0pRQ07nt9JIGC154NOnv3/3wux+S71fashwgC04evyJp+ACe
HfafA0WhkEZgco4ALNsYBJwOodU1C28nun7x2N259IU/zokrFsWsVJ+7b8O8
tVLdk2BitJyyejAvWY6BLAf/8xuMifYJF4wayJc9FRzh+V4EgdmNefWmyifB
yJDyrqC/3i+BSH8F7fzyKf6S/Pl//T/1s95APvtCPulu9qJPNu1rXWgyhSZb
ffjlFH4ZdDurG/21/npvtbva6w563d5mv7cG/13f6HQG6721jUFns9sdDODJ
7urmJj65urQ62Oivwoj63UGnvzlYWx904JXu0tLXlMmdeuX+lg7QLXTV7a6u
b/Y6G5vdjX5/c63f6XU2V1cHaxud9e7qAFpYXd0YDPqDztr65mq3s7G22u/3
15b6mxub6521zfX19d76xsb65ub62hr0vbR0w+fCkVBy56QPv/vJDXTduKWl
6LulSU0N5Vv4+3SFHmg0ruCP7srTwYo82rgsRskVbcUdNLTRH/Q31ruwNOsd
WOqNztpGD35f3VgbwLTWemudzmpvoztY7fZgrdZgVVbXVwdL3bW1fm+119uE
SW7Cwx2skLi6FgZtECaA3BLnMP4UhAn5snHbTO5I3AjztCPREk4A8zDDL1Mb
lqsHa7W91rZixEELZtRaXduG5ZDjIBXDOcwJY8bpwmKShRF1aAH/t//EC/hL
oFNXs/yOSVMWkB77j/TYQ3ugi93WLF2Mr//q9WGT8MpZLCIsOae4vvsMv4fP
8WNVJByDQOhKha3BFOJsfOWvZVSAcaXPUrg981QMgxSFwskOm4NNFBcJKl3T
Hzr0CQ6B4586qw7UkxKg6FPY300tvusiA6kZGa/4Q0A8G2IM0leEo6RgpZGW
1MAXVuyQpGYz4lwLW+JwFLkquXw46a2UUU6V1rmkuFrmMB1c0ifnOSbDC1H9
+uj1K24YA/THFCxOkEQjxABFQmCl04lojADFr3ActNRhBlmQdLO1gRERSS3X
ovJq7pQmaDTablOWDamOy6OP8vR8UlBhZccsPeJBOiL1CWeajUSXgsFezC/T
SekUXlprggff9ZL3CxBM5rgoDdygFbvRNnUDtSh0a9/SrZAw3AcBCOOSu7gg
H6oIQ/EiCcZ8Uz3ooHmani4vLkXNJFG0xaWgFUYY1jD0FIZE+bn8F+k5JiG2
dMHqGITYYsG+xXKJ28JyiGqWiyPHyLELTC+9QDiDUhJRYJc8grcie1NPijNr
83JAYpEsg8v0D6jNQe9CbyJsobJ/TbodIzAh6oGbIRnsLZmIUlViqi6opphI
jKqfCRXDWu923g0MoJV8gKAkSmPGX3j6ciNKsVxTiaAvv0/iAV2moIG9e09g
H2k+rQyYzpjUbS8dri5mAwUPgqiO+oLcjLyVjHyiwLnHzn0S5E6QnjHLgbyY
lpCXINRb6YKP6w5ISl/zkf3lL5P93ZOdw71d9Fj/A6Krn/SSX/1K3I+XWaqY
aPyNQQ7wjN21wMmY9KDP8iH0lnw2nxk3RD5VVJPTDAgE5o5/SkrSPsmX+Zlp
98vkXTJItijj+73pBYcjkMMkTi6aDjQAX9k2fvWrpgTi86EhubNzO+in3c5g
0KE0HiIEwmIx8C3FEK5URrMq7y5P4XQv/+7z5WYyzglnRNY16X2eEFXiCtLl
eENn8hInSzuj1Csiond0RFtMyVe0REIeqiR5xo+PGA5CY3c4HeHNhohLCjIh
ifI2ChY/uRqnd+fkO4dGd06L6cvsEe6SZNdTmvvZE34U/FBdpdrEycf9LAX1
xfUHZO/qx/OJXICy2EuIkl7zaneju/Hgq62adzu3/fXKh3F9hCUu+lF9tdpr
9VWM16m+elZtz/K9JSLy6muDTuVDwx/xrW5vOHoSv9XDTxe/VfMSvjXod0Fh
6K8N6t9axreW47fWqm8ZRr3kjjB2+N69RWe2G4wRWPMSnvku1QekVQQ2wCPr
d7qdXrCEwch+a1/6vfaxUX2LroalpGGfX9HnK08n7ipYsi+Yyd/3yqccmAd9
SWivd7dP6FOiO23uZW4ntN6Xh4wCLt5FXqAqUcSFj2KjPjK9fCwmIF99SN7h
LE3ufKoAbFFyPL60xDW9gcv/Vhgv7NtT/HdpCaRAVPSWEmhpdMKVQ7aIN8NH
/0AfsuizlaB00FwCnQ6vjS5qpp/j90t8iwR/9sM/B/7PJR8hwt2+3Dv+5vWu
7/Pozf7x3tHJPnzCw8YP0XytA+D0dP4LZgF8p93u9Xm4NDIao48G4W6+PvnN
yc7+wTd7h8d73x/Dx2Y+PhSDnzXP9eueG1SfG9jn2CHEz7jCUm6CrqTUFhpW
6QUUA+V5/DXeBkV38Ssg1uYtkuqwCUu3ruYE0BTrd4+u6mD1sypckxb9gTcl
SSlh0DoU6V0qXFwxj8QHFvYy35/gKJF4T4P1OtWv4U/BXQJhb5ReKaoi2rnk
sneAVgaDKKfEbgd8yIBgpWaKcIiTHlUBnmet9ETWoeN15RNcpq7ArbnKGj6Z
STslKw35g+odLygVYSrT3g6FJb1+TvEY/gyQ+OJIlcDmSudYdPD4HtYHxddR
8uT2CYs5DiS4zU2tG+ca7GL//XuXgUJwJEhGpR1BPxjBwI4gZVwqNxqxdE4d
7oDsJi41yuq8VvGCshCZ1zsDy2S13Wutqj3FkV47GjJlRKrfjPznZBUcpzkf
DJxDWpbFME91OC7leGKpDp2H9PBE9TFNSb2mbGTuOGpK/F0wpxOnwepCicdF
QhApsRLDI1iVzaREFabZzik/VRps6DcnaTpakQPAtDvXQMZ8Ithc+AeB67CV
pNtdE1+Y7loOGh5wDwokG6j4e9l3ku/lAI0tFjlqJayvlSAAlGAP4Qo9h9ae
n+T8+asCZflX8NH+t/rZgVv5g3Ak/PW2Xz8yHGzDy7/7bbKsVLEscETH38DY
ERv0c+JKzEcsdfY47ZJKZDIEVo+PaEDB8TPd5iPImMTXaZVy6dw/SLYDINuB
2tgjsnUssUq1Kc4zJCLNE5RQjuankZIzXVwRHJwdjJI+Qf7lQXYfWUUpIpVG
wuwreJOBkewCWXbILglVCISi8Af23G1sd9nMrZnYYTddIMvv+VW2qix4mu8f
eYFSesMgxMuep3zGXcFycxnlSsbVNEitlUC/u+T79mpnkwAr8F9MHGU9E/Xw
Oy9hBciz6nvY7K91XL8mjrrMRH5kXa+FrSKAHPoRMBiHUKRYwnI+pSe3q7Mn
OI4nQ/zFjzY8xXpyVaW/JTtAH0UR2qkd6OobbP49Zw7i9/vY7GGz9s3jr3b7
D7/7Cxx6MeXRY+UPO+y5Dnv+wcNeRWlmmn/AYAeL3mhL1JV/w3u0xfCG45Ws
b2B7RAAI9pjP1IsKx+SOkd4UwiJXJFMFS6GQJ0KVGymuYsrhKT5y1N/cT97m
oyfsFQ0mgrOAr+Cv92pO5D/p48rU6CAqHj3ami7lBlPGD+/ijIjwvZvE90mu
H1kFNSdWjkVTgDDYF/UugZ1twn9mCbsBeWQ4TBVNCajC9UFwe2gdckeL2Ixb
aCQeovkIcC21hw7d3xTGNalJGE7d7kqIBrshaivmDFeHOOrbVWqwGR7dB4+q
Nx+ZI+6n4kU8LIlE4uPOUd2gPRZE3SBLixnM4GxxTTjOwIgLYGtdnG+JrStk
yrvPUAhveX/We03JFgij0uXFR9L6VNoj5AdqTAmLWgTybuUjlCdIPp84JGyO
FZxkKBejZ0JhmlNf1+E6GOJpdldMosC+APvgO7qCw5eIlgnQgIMcGJFCHTHw
17i4Q1tejJJEBvopVnhjF41P2pUYFELUzckiPp8xgA8aCCmSK3e4NuLIkDTy
DJcRdj8cIsY0ekKX2D6M2+GZMtQQi3jZLe443igkwkgmfZk0/CkgEycjCyBq
9tQhe80Za/4inxLGNKILwdha5HxBrxH5g7LZsL1CR1kKYKriNyKE9VNGuYn1
NUPbBGpBPZpPKV4GI5TVbRzMg5c5nQyxZAWoldvBRdp0Qzdakgy0wgxMxJ/l
C3hBw1kjMKoMwc4otam6IsBNEV88jBsMFglFC4dYQQe3YOyg8VlLxBnT8VPt
VbG5GEGc5qsBuWbEVX8wryQ5DTTlgfiimHCOqSWMvCOwiXnpkGdnxdlcsYBm
1j50k6m7jWOqMmOVoqCXgDZJPi2ziGAVaVYCWDU+qAbVlY4Gz99ZzTl0UfFO
HOzHOD+dplTrCq0R3wofEnkzYmE7/ri8++zaPdoihuPpTty/C6mVhiY3W8UZ
Nqu++RbVf94SKw8ih3Hw2aeZk5cD6uR7fCISI3H9WGRshhJ0iZdEPiQJngQH
pBFGV18e5ef5LB07UZnLp0RFkq1VYXFT8Os2SiS4Nct8bfV765vv37MDZEAO
kIcHz5EQEjXouR6rDCBVJIwFje/iX1+Rl4oc1eYWZCXhz//876CBP//zv6eP
4a/J6Rn+xYX6BKCcQ/HUG1RyBPRnyT5H7SGu07vPcveHUoJFJcOjMwI9YJQR
P9CQqABppuAI05GHR5qIqi3RDirbOSUzBNojWuGLLnVuKB9ayCc6TUTZ9OMl
iCnE3KJUu7w8zbn7AIDGNxPKmRyOMRzPBTQpBelqx2txs4tpMT+/kKxBdqi3
k5cFqSiIM676o3GeOpj4PGQnsOwHcg/6chZ+/UpvhCOe4YgQJxyElMdz4VMW
rq6Xo31DdN1yD7ZbQTKrXfFUojSmUk6Jgqcr6x/C+oZsN9XSAdolx/ykCqzD
26MoO8hk7humWB3FgGBYjuh3wSkD4hd13dPZVCEyGTJNihbwLsqdRKqXeWVn
W4OW4ebCcFadkRssXkQ4Xomh5UEHs6wZcKkQR6Yrz4WIi3zHQYoH/CmaKvcn
Z9PUWzgaB8/3V1yQemUFItLXuPA5G2T4/p5P8j/OuUabqmIwweKSoPbpwzR5
JZPYJmx64RukgDVebe9zvgjeTbdy0N9wm/a5vTf4XHTY7EF8Utqht9lq5UKI
b2Qlnu+HswV++MAsfck0hc9xNUKIRzZKDNsQkLcn8NaTpCHvrvhNkI6Rv1Hn
kuhCbPgeeWalOjR3Gl1okrGHOi2mepmGh50ksCqetj+U9TK1pKmSV433SJeJ
Aze4CAaTcSBBSrisslZn1uFJWSmM95fisBAr0IhskRnZ9qyDWyh9bCWk+5KW
LlEZIirdL0/i46gwekvggtV1KosZVaCaidaf7KUUtSG3B0HrOXkGUwq5FeWl
1Z6eysIvWAk6S8JiZe2qbZQPNFI6CyvfppY3XV7Cu45hMprb4suTwrvvSorx
qomgTye+aLqVoDTaTgvZ4MKMs9G5i2NRAypJiUf7X7/cxoBP/Pf9e1hdQW3j
y7gSku1cFMtKhMvqhtKKFtzk6Z17jS8CbM69DfxvfA/JuTUMEpMXGjGVsTH3
WZbtkFJ98tf2eIalwpel3I+Tg+x9aai20uIysyzYtAao72NWLHiqVykiZNNt
dFYM55gzGEkLUs8HTxviqw1zSbeiOACPtVaHZa3qey2rMnfWCjtHA/Uak26l
mA0Kkduiub77DNeuhdi2msX5yRed1Y2lSn0wlG2n6YPevBJcN3ysWa/l40wF
kVLSGDMQARZoy3Rc/4Ddku3JPiZetmAEBOUrzAiV5UJrL1nWo5lsVie/mZSx
Bqx0Y2fxGvdfdDxnBGhFYxadtGD9eZhdcbbSo2/bLF4qLYQULFmdxcBeBmW4
XWG1pIwkWLpesE9eygdaBGakAgy6S2bFVCV6e0HI8aLP4YxJdKPXJVUvX6gG
1ymvdYfBBaaW5RyB8O5TB4ODDjrcPr2DahwxioWaH7TtdD2JSY50PV650EYj
icNpuAGS4BgSWDphpkAkxXekbIJZEVrLGjpnKIlokxcurKfA2ICC2JmjbKFs
ZEYiGTX3GDkQ3HwqsZUmk8sLVtY8VzlhOjX1gFSkwgflwXpG9WiJj7Qrvpbo
vpjRlUxDqB8mF+G8LuTToxlQeclYQvJZnbaf3rmEQHcohUkF5kuBvsXG3nrw
aDRetdBFjOISxRaj7wbH61BQKWmcxEXyAbXGBKkdGEHPrGjr48Cd5US5pKFD
uvKuNGlCTQ/Ta/SISBUXP2/OHAHW8tWc7dliam/aJsf5GUU4E+nH75JIMc0k
dJaSKqd3ePBKcrRLkeNpYX1gVGdiDr2aTbE3rqyP9WwA/e+JfzY27ZH7v7G3
veuSjrN01NKCcAoqlTB6ruqdo+S1Oh+wmhzaPl0BAqrh6OyvIsRFlHl65+0/
uMYeIwk9aA56qUbYpExXnyp6i1ePoty3E+9N48Fo95dz8iNGo4DNvp6PcccI
t7tQBKpiQjKFk19Frp9yoPd8UqZnmTHZj3Gq7eQbkI+B0hWT4aoAPUjaRZFz
auuUyOkNigQpLNh8QqgiYgpr3WWzljJMVRmicHuHYSv+i4W8TfQ5d+XYSlvo
tZGBwjjPs3bQpmLWGLP5KQVYc7K1N/c81GLFgJ40jl8/exPkKsY8Q32gcfki
xbjVgpAimepg4N6CliPcNZCXbhG+XBAK2IOU7BfHxjUlHijmkS5X5rwoRt4b
BYryCEUUSVcb31nio6cy05czvRGrEgPSTY5WBEylz4YXk2JcnLsc7pKd22i+
IrECz/xUqnVO/Xe4uJPhnc0qC445gl2bU/7us+Bom7oFhA88mg+ZP/oinEHa
D0fUCxod38QUso375L2CPhLEL1ZQK0LdExgfPk1nmuDLm4vmFeVbyBzU1+na
TINpjRzziuL/Sk052d41Ka5RGMr2LqMmBNG8Ild7ayzMWZ35aq4VbH1sPHA2
yQmm4qugH1Ek5pDyoCeEVRLkRZBhKIKtsGIp2lHo1AdTbprqu1wPk+JpNWQu
XB40Cp5hDnYDBL3rAjQxkgjhejrTjK3+2hoKNNMMJFfxuFOwsMUbBGEkRX7c
GqdvMxKH/iQuim2R7cwUptklngOEJCtnlSH75mXAe8w3tv3jgs0Hu3rctN5/
oJWylSH6SnW4fR6NrJ8ZjVWAsgnco+x6FjOE0e0yF3UrEDggiB0dNnmVepsb
tErW9EjdejhAEtFHi/yhDZbcOTywt8HJlvzJg9ENK2xD97FNdBWh9bysrMOA
ikovPio+p0mLJqPLaOID2uD8CZiJxzmk7wTMA0lehM16Z2TdmUd8B0PXMTlX
6WXBrokL+jiICqACGGStlBHQkedSyI2UfGBx0QaW37ESzVytmlTyB73OVw61
QeICKs0GRz6o5xAWWzXcyEvcMy1yIYwmclo2F8V6WPmO8rSAO+C06RIM5Urz
aDOOyTFrg7NQxzQHskp2YxAcoAgVssNWcncm8HrfrY0TOY62hWYQBAeVK+rk
FimLbvX0GtitCmcVVzc/GCxz6WQb5l+GYVfjV3jf0/IOA3cc3jvJJcpBCKIC
vRfCPB3/esT4hqkCjEYibmimsJ6yqubvZWGZLr+pcrOzOVRqQDnx2qy7rXkR
ScK25jSao636xtXXFlFmrGiHxj3s3VAC4tl4J9hCfmF7x3pnpvSKbqPtVvQE
yj10GxleBbKRTvtztWrgDjg6tKUnODdGkXhAHTOVHiq7wWMivBxXcxmtZypg
hzH8eNwEQwW1A4WBrFiz9SMPpSsWpkVrNc18xWiXsu3KwQvfkYNlKnzcR74R
W7p3q7TyF0nfjDHkq66Wkq3r2aQrJxqoVWIxZe+gQwytqwvbKKztXZOR5GJY
NLb63A+DuUUhU/4pTg2ZMu4QJj8/RiA6vshqLgG6M2fZZdJw+VtNm7e14guJ
1CywtRUGke7WR8SPeguHTxTLbdiis66kkxREKQoS9L42shNparTPKnOFBl3y
EEpuooAZxwalVNUXo1MkIoF0q5+pBPbYbGVYOfWgMJmXWLkZMwu0IV1bGgnq
Y47d6VxRyGf8HK2NRV4I1MVqByFaoqu+ZoI+fWfBphTDOYdZBUKTEoF7VCUu
fCCfouoEk0gnGXRDBgS0XaJ4R4JayJCYIRYzLgTmQu4xxNv15bnUgksy5J/h
VYlkxKGQNERZCsMq6LojVw6DU8x8vDYsFEHU+OUkVgfcbBhjkqmIyMWdeGPJ
zcQQMZQTxLvGMmkLP3K5RiKPSWkvPVS4NFw3KzxDRjB0wTQq3bZ9fdhINSWD
nMmV91tO4UtaXZS0ZBdIa2aeju9Aa5MwYLMPB9PiDJ1tinP67jPsuAUtO5RI
1cu9DgpCP5xMNQpaTOHwiF1x487VzF+xXM5VbYFS9Eg5u1jQxPfi13dBWRgD
exUaWbaWlrptX1cKARqodFO1aDUhSisetVS/zG6vgqpJFjq+8aW/WlfQbvQU
xtZFhNwmWqUjTE+2ubeXem3NTP0y6SaNfSalIKSvmRzKp6haDJPdb8TH2G9r
MABnju3v7e0lG51eu7t9CJJpdr2/67BIOPI0dtVqTHnnMTpcm3JmPofRpEMx
8GgsgjeYIS8eiXlVBJGuvqiB+/uYkDAgCAiBy6GkBV5r5tfE/wkjXuARXGJ4
e2nQ1siH3IXTyjww77G6lTZsgXM88ChSw5fpFUk+JjITduHt7G6lmbTgt+H0
WoBKWr2kYXE2V9phugiN5t3xV7uY8gtjggOfJHugcxSIFo6FaLcS+lY0z/oc
Ap49TOfJ2+GwfOIwDytB+kur7eQ+JZlSyjj/wOTRMiHU1AVdIAysQSdv9ltr
DkJdQ7EXRhGS58nZLqLVhzVbRxOjnmOXD7pV4flUO8wkqTkjHjnTDpGj7zOH
elHAUT94sb3/SjKu3302TqfnWcvlbZ70gD19xSc2hPU0KZvwl22EaPH53m+O
jg/3tl+irYct4lQ2km8UTo4u4zcJ4fF2COfbySOMoqmM6+T57jPnpri9gnUn
1e3MXHCUreWkT+z36JttoEBUXgjKqrVHL3pke76HaHS8Q5K6XZhmsWMdDIy/
t7pqIL6wyxN+SU1L5iOl2rBVP7GFQxcAHcnMMRJwJJvTetMkV9fI01PTWLNm
CPSEx4vt94hX+LIbl+ktyCiX5i27V/BGuAp9zOPf6K51uBnyb+KVF73k7gER
LFCmIKs4SUbAijeSt185h6qL+3XuvyaXx2MpDEFgL9iIfgV3ZcbWCI+jXRbj
OZGow96lGCUPSycGMbSiJQXvLcWDETWomXYb1LWZuFAYLoJN4Xnpk8oCDUWC
Mkc+qRGX2oMV71drhsqxfo7RRWgSu84o5krrvpIfUYdUuqhgSdprL6z5bpaA
yRzHX3pPWjAwxJqKZCAnaOcTNTDRqbUHCf/nYF8EFAnNkw4mgdV+J/wGFEHr
MKNED43mLpODRr5iEHtBhEBArYIgKu85euINFM8bn5txSoViQPk4aODvK7IO
eHN1kl9qFx7y72WIzrFkB/slNNJZQQz8Rhf/abfb9Ac1HAI8MBv43Q/uTifz
C/4yUbLCm1TympmSpGZ3ymUbcRcMF3XSMyrZMmq6noxIaniyKoj4NGK8pWWY
VIdmr9Zled5Do+eQ0l3t+AMcji+DHfse7n4zrnDauzwF7Bo16Nk0Sy+h76h1
O60vQfJ4yauKv8C6uoXFvxctbdggPgkk86Vn1o3k4PD5SQ/YYyunNHa4hnjV
GkhdK0nUqHfe5WfuQT/rFUshfJcQKYRLo5wzvClrZzssMHxupBHcXNmDKxS8
HZ2JNcEkt5exXlkxEFLAVSlpE6YM3nFgfGSMDW+t0dBGUn0vKLoBi5MHbWgm
IbBowjvOI6mBQooMwXANlBoNhY0Bwp0x1HjmUeok84PNuQQVEFk7jIrE0ovs
dXb35gpD1UB4AZKb0+/vJSSVzdtanosg24cSlMRQ0hFUCaEhXlBEams6n0xc
tYHITegZbGA0UUZaGZrNRfTyBK4bUilcPBoNVHkRg7ARmbopBaLkeflCo1lJ
RVlGZrjsBIyxa9zgCHD7wrjdcNFCNx7PuZSx09C8NnhVZvNRwQUoSBW/0AwI
7WGYkpqV6lfAzfAruOz5ZlegOq6SxWeEDJ5yRnBqlmDI/Aa0gaZiLwyO0YeO
IoAp1oGToT6MXEh/x5BvqHNEy9twuD0rWwKIYNc4YCdmPZtJlwEs8NVmIOut
RM24BQjaMp1AWx3B2gjbqblN7AMg6wDHKv/bfzDCJKGi5hMR4+4TLZ0lpsa+
asEaDSXOuP6YWzGy6oo4LG4OjfuW1vkoeipEyYzCVowMxsXPspHeGPJSzLWU
sXpup7YpSu732MGyJRreZqM5cejzCRFKKhQ9hXZBJeJ4B85AoZWSbLB67hEf
LhwbkStRdCZopcDaGvqUIwLK1YUPY0pfYesSWXi5UhQh8PPJdC5DxdhHnyEx
CxIZCHBRx0TjwF4EDiqKvIvbIR3oqs76X+Hg9sR5onDGTQqVdcyMCqPAKuRl
wCTGoIaX6qzxX6OYGxVzcWvpovDCs44QMRKsQgKel04jrc2N1AnfqpYQP/cU
p5eOC/epXBrG5Hmec6VxYJioQdfZHKkUd3iHtCuDimKeLrNsJv6T82l6BTSs
Wql6j5AeSWJGP4Z3zGtBRJwOLPJbKshGd/bMTwgNY2S8mhCWMTxGtcyrQ6+9
AHknvH8kTH2FqeFtSs+ckclvMgssjn7SzWj30WgfRJe5b1kBOpuTMc88Uvpo
F00i8W4kyl5wZKnCsZj/sP3sFiSRmcYuYkDG+lqP4JccoBDpk+RQFGscnSi6
YzEJZppM8/Ktk2louehGu5uklwhYnvq08CCqINk2odVEbXiCC0uFqKdKXVAY
yPM3u6+P7q38iWAPIvIQLrczMB+oGxDDdbPkJaZXTbLY1OylS4Nr7zyIJb16
ya86FTrkyvqpKddOPZYCwYO3FIfQI3Z3eoVZ1ELPKarGmO1eynPOq4R3zYS3
MmeIYLihpsP5JYwIfXHtCrx8OFT44A8cxWACKxTr18QEGHEaRytAvEHc8JZL
34tqgOELpxlFdSGxN4j2CwrnQi0U5rECb36DCagRWgP6FCTH1ztuJHRT7jnL
eUWTO9z5dpenSQOCiVQxAtBK71OOJB8AGRYt5cvtHZ+jykheksPtdrRCLHa7
2a7ogPGaenu7YIRgD/BSQVcBq0F0Jx4dbx8e4xffbe8fn7yUIDB08JcBRhkq
EPsKyQ3n0CgjYq4PCzLOtDKJibFwXYvZU7rE3re/eg2Kym5QLpIb5CKbSeM7
YutHKh3tsHR0hNKRRN/7ntC5xem/tAZauicQqUo5JnlpE3WjcrrxiGWYVNwA
F45lIo9L6MLpzQ4hjBoxX0r5Jvh1EtsowhJDEeeTWcWcWJpRx4EOsBNvrgqr
FaboD29FxT8fv/hIxvirtayXiQniaXNJGnM0uS9CrSa/rdFLH7Pz2uOCnfeB
G5F2HXbzyB6+PXyGv7bjs4OladJpVkbz9vEhZ3LAKF6KqtDcVddAahuRFCsF
aO4blwwmnPmZ6TSP4lZKCrN7fKs7r18evNjDdt2BrdP6HSsy9VZrdq7KCAbO
tv+T8QE35GBVfgIa9w03vlxmgh8sr3iSH/wUJF+/cAsIcvDRJD94JMlTDwd7
h0f7RzJxJg6Y+P0U4SRpIY1HUwahggopBFEmZiXZuuAsoR5RMdQQal4PD8Tj
1jogKLcWD6PNJ1iENqn836+Y2dP3ppxq8PPD0oIv+Fu4uAxgbPfRTR0S/Wux
TPy5XtJL6JcxJLfydHr/f7q39YV9ux5tYduHxkrfHsRHBceKX3xRBx+uDPqT
xvotq9I/91CFu37SUIP97z92oI1g/wkF/r6BerqPv/ri/sF/5KQaMbEMVh7x
1kN9NeLtgUavF4+BiWDhqsAgmS+u1I7FcJwHTvDCz7W87gPvNyJq5QE9xDcW
fH7vWwsX6563/I0Rs5Uv7kP6v6/ysxGmIx0mutqt+hIYFCuM3WkrvKddvtEe
dU0/3Li0GdzQpJo7WUk9OaGIw1aYRysriohaH0gbwJxXao9+kMTwQTNmHtcV
Idm/84CQ3Pt4IfmecclgFgnJvU8Wkvmi7C9Sdvsfq+zeMyfp0s5p4UHoP7hC
pjXexP7jBdaHW5cmP1pW/aAeAiGd96j/kKy6QHt5PN0Ofha6rVVkaCK+33rS
xb4+WjR/9JA+TBSu//Gi8KKfh660WGjoPra1WrFtsTQs3O2nlDAfI7h/vIT5
aUMNJMxHi8K1GsbigQrf+Uk1jEdLwx+lYXzaWKP9f+xQa0XYxSKqO6SfdK4a
AQUMHpBH75cgF3/reMhHioXJDkcjvCjOl5YOn+1IUPFWcjCmokwcaFeJLfk8
eYbsrNUjqaDV6yG8PZbZoBQ5fAEd4Ohz1uxK9GxwwH1O3gnXQodb6HILh1rS
zqWtUVjjBdeZLGdY6QmuttP0nB7fv6SMMan0SOmZEg4+yiZ5OsbAcUmmcJ9P
+XYvuVQIheYVk5b8yf7uCbq3GFhHw4AwGgUHkE5cUz7w0Kc3iJvxj/N0Mptf
auWMaUmj3Rmnxh9hEoukQUVxYHeVj6XptweSVYAr6SaCjqkrF+1IId/726+2
JR9n6rWoz33JT3jwWX6O7sLVJlVPFVlBPuyuyy5cyqpOL5Pl0fzy8m6Zvvgm
nV4Wk/xP+BZsKHVOX7yRSAaXg80fbw8Vk47yW/y2dzd52zu8MCeHphCPrZ3i
vp7KkGhXMFiNvtnzcj5KEAoM4kZh0W7iFzqIQElX/wqG3CL22oyymRg2hx5/
KSLlKBvNbfg474sZkfMXYnhsMbqjt49h+XKGrdBNy0uMwMgnmAnf+hVSLGoS
jqDErTidT5Kn6CbjwwkPinN3ARkZn4k0deOiH6bkiY/CKeQppO5pMc7qDH5k
SwwSWpekwg6TepQJhY9jVgEHewxvZovIwpPABpFAd7NmUluaDSLwL+TiQQQ+
/VwGfaRJK5oEEnhevSCGk9RJu4NkPPry1Y5WLxIjqGZOytdKDYRoMpb8cYxU
Iq+SP6tdPFpX43SIxwS96+jAUgL5JpqCOceSXz6Ocg70DLuMRUIe1uzDaGxG
aG64it8r8tABook7drNjNd1Jdl7g0uHz4tilfXmNgQPKkXRbHNslXylDFmNw
YsD9gSxdNW7dt1fppaL3l6gRSFacJyGkQiyjqrrcGeFMBk1tYWw/Bp48Pcwo
UTp4uKm7TPFWOez+LYzwbpxZfkWsaSxoFr7oxsyf1y3NnsEcHjh//NcJVZwM
XzcvNTWgY/lk2d5Wy61l3QA4CPktvrbMQR/LSNkaeaND01MzlupPlew5xqHU
x19xZCAvD5s/JE4h8DfrwB1L5pxD+dgVw855bzkf8fQumfCW7k3OCZipvKKw
mHiodPE4QH9Oa/O3EFPliPzpZsxABfO6e8NeQebcGNaxzqxjg4UGIWu8z2CM
Aua1vStr4Y7Nl0mnmRz4ZH+5UuTGu6Y38bXybjJLb3+Bb7LN58YlOf7CZP3K
VxraWsPFYO/0wHiM5mlQ4103ZWH1Cl2Og+fy255e5YUrnswTfZuP3NoFZeQ9
xi2HBt2ZRDPy7Icp3eQNcggAjnB9HAghhiiawMjdWsqIODsiCr24J48+ZvUK
IufjPTTcxy1iGV+vCYm2l5L8aiIINCjqqRvmL+wlDJ/z+cWgEUvPVHGUdsaX
fkGQNRQcVJjiUbzAdDADCDUh8xVZhb5+sWOJdo2Jdp2JlqbX8pFuInEVjuKD
8VxleIfcYEAQp/K4WDQHnKX3o1LhnXIjieE0NQTilWShXzFL0lk4ELmWXFwP
UVvNJeVHm4ZiX9Ig4NIbEtLgmpllHLJEsUDjMvuH5Iq1jZIQSS+BVlbMuq3y
uq1JCS0U/ly6YJmOXd2SMF6akxv4Fc6hfKr5rAYbHRrrP4X/DPjBXa6GOEdO
x0xDMWwwVwfzZyS6EsOfYOScaFHlwgT0qzHvhA7CEVSnOXDEaQ5iJmURRgYC
PgimeCqlnbIQSDuSS/aWgAWgVrYUsOGyXjpb0ltbABQZNoHiyWhrDT0ohD7G
bgH7for1dZM6qTNzyApoN+N2CMhrOKvhcZ9TSfDkdA4CEawP6itYCFhuDLPZ
A97s1SUVyGpoVgOKw88obvfGZvOWS7qmjiMy1XDaL5beDWA3ZDe8tg0LO2H8
OYwMvqDt5WhuYgQpRrO1qEMt9+56fGnLufNk8BJR1Y7qF3GY3ZK8sRukxOiN
U/8tSIyseT4l5dX9ad9iktQ72YpQu1uLwSrrNlvH8EJyUvVMCAvbfaYPIKS0
OYXEBSW02RB4zPlSraDV0uBlbc/Iqws1D31WwK1FZSK0XOMkgLUm944+DYR1
lssdS2CFBn6cIS4F2tK8UEeJHi4M8RiyEUjCeM3pWy8rCaLBiYcH4AKb4rGw
ilGfz8BAVNCpltLg7rtSJrfbFu3Yj6zuXJiaIpy6GR2QOnHBPoLnpULmwNKl
ZPUKa4WMckiAPnBKqC7BY6/xw+xmmrMk0m+vuvW2FEjb8lCJNw1lNtGi2tj2
I4CZLM4LJgp4hW4VFTp3PU8sn9+tzmDD7T0azhSSg/mjB22ptLSnr3kB0zB+
5FVWath9ppKzvkaGNlIkTziTZXpOmCtGypXbM7j/XK6KPK6PiaKpjYisS/fR
nKvfjMf8UCm6rgjSyALK4QUI++MsHiPxI7iwfSIIShnXRT4SfCakcjS2IQ2L
IuPyZ2GUaG9zrAHYyuC2fwlvcjlp+iDrO4YJf9F7+9/CL0HiSfzkK8412nJZ
GLVPM7q+SAqGQonk80mch+8KpFyk02yk1saAGcJuqjihiadKuC1NfpM8qDBJ
pjI+0+RzHylvG5WEfq+T7rnlRF12HKK86CRabPWkoG3aYyPlhdHhqpxg4DYu
uigmV2lZOmHSmZYY+F5VAnnVgT4EkWhhnUpEc5zmGUJNSyQ6iftqNjOmFGvr
oc84v8ssiS+87QRbszy+bLcaS+QwMhosJW9LapcYI63SqqjHCJ7lQazFNozA
5XnW8vcLsE8R6FBsvBJlFpdXhxgI15x2gXboADsoeOYeOdCK6eigQDllCOL3
NEIimlAZD764lgKK9zyZs1HgJhVkPHnuWQGC7iiJTzT5eB32DJuOvPnODEt5
ogk7DAyw96ja8MVCPYe/tWHdlucbA5g7ntu77tcgtSEYLjCfPCXWKDZvCy6U
IH4RgT8pn6rxKEc6mJEEeiwJ9FlYQPh5IsPgkS0mIQKIQNoWruyNv3Lvav0d
5MBLD980H0vLH0Ncld0kzvY8nV2MQYRoJkcztFHALy/T6RDUsKMs5U/P4N+l
mhu+vqDs/Sr2y+N9d+kT2zGU8qjD5feEvWK6Nf6iSEPSKJLney/L6Bk5NfUF
ds04eBWP9x957kNtAPG2/nEn2Gc9X3FufnBgluTWGqcTf1XYEbsldsrGTrsf
DJGS5CfEy2t8AuwN7Ha3ZGyuNs3Ijj0GUg3XR1n1GwRvwpCWnaPgcynCNRkF
tveFa058a+e746dxO+quE+eJXtnuUueDGCwywRecpHjyck2DBXU/aaRjdMZx
uZlQkltRM1RIokvCoLbc4SWF2s8tpTcE8ArlNkIwJ5vsXbAh7PorExByJd+I
N4wA9AW83Z2JWC/UkWGqXZtmRyteAL+BzSvmU7ilSPN3Xbu97rALsNvZEv1O
nC0KmZ4zIVFilq147iL1HIe5IlIiGlEqRXMHLiyDeKHWwmk/Q754VOylr4Xl
ubm8zaljIh/vCiENVFwWC2mEGn/DhIKUAp/smPsRlDlKasQeMi3jJ0wXVHm0
H/jlYfdYZ1OW5+uT31RgJJzRw4r0VElJDRyiZW7vCAgF/tZ3r0lBZc0iDvR5
WUAGdP7zP/87WTKshCPagN4MLJ2zA7ViFogOsbqkBk2SVHedscBuAAvQ/oag
hGjrrDoTtD4atRUi1PDiMhgnFjqoukHB2AyBm5GC/teMr5cDy3BYgyYNiKDm
ek9Ud4ENVvxawqDzZiDnj8d1dAAfDkoIhVASKHQ/jWXK3hWkSMJzoRFQZSYE
O4gHCBuJajIi6kTp27ixNG54pPrVB5gZXV8Y9Mck/mQyH49lWZ5gJbQnangj
jEMfJGLjZcMuibv5m0lNaqTXZKN4o4GRG8t7h91FnQ05SgduYDsnt9aL702B
TqfIZyjjqNvCj1TMHEJzBLJ4AmLWoZPzEIyJPm4SE7V6uL8P8IieeCmVXWJl
ZhiCKiW/oLFiOjwZOQn3y9eOmRDC5ziXJmGDLlMkV1mmXVF76mEBLdGa+8KM
IThvikl4+yDVocQRplFSA9t7R62vd14yN7tI4f97HejooBjfdfsdtfzKrUb7
gvYn2oKbgu1QZslwu18dbTu1aOYkNsuxnZM5iEmSq8CrC5KfL8Usyvlpy/EH
5S60bSDtkjxtjZ0+L51r6E7Ts1mrko5OdyS3JU/TMhDUp5azND78WrOTDEUW
fBDFo8y899w05Czt/lSwP6qzvhWu+KxOZ87dHMn9IraQfkjNy4Je7XU8B6cC
/OIaKzJiz5FgLYRiQ5futCknS71AWWrZP221KFXqPUUvy2W17K8ja1o2oqAL
WRir/xvneAaXB46fhvvyzRElORx98/rNi13xUaE6KNuAuL8+34DAsFsO7A0X
qsOaL8ca2XuObykCWuYvTTvy3FgKxRpX57LnTRKPtowRCsmy+DrDVXKatPpm
9oC5EZhmnZMmHpfw01pocHsgFp8FVEMfPAnGyfrA1cK8dXl7fgs61BhBf7Fu
zzIaqZfvKeyzbKfnI82oIIg5MCcDczzY7dhZ2/LrqQdttd1LlvX8Gdf46/ls
DKQovb1WByAeH6yORhb0k27yZYL3YZBc4vuQWjwu415tDs2EPAthKj58Gpwb
S93k+o3CKe1FKzH1jFGsLEV8DQZJut9eZ33CKXScKz8x64HPLId2D8oxQm1/
WbcO9X+Dm4geGSRq9LgOSWCtrvM9BqCYwl3lBrJM10sL1UAZ8RbBuQo5mQ5g
mcOfdgXAvIQHWGl1qC/LgUymlgbnlEeUdLwFaRcwANLTF3s6O6tCX8ymDjPE
K3l2hCc68pPVdBTr57ER65ESmz6E9WWSa5h6MY2+CQ0Xpe6ts27ZebH3qjPY
qojYgRfLnkhvCiDtEYGkTd2hMqBqJFirAsFCeVNuhLyYNMyUuIAkT2iFm1zG
EIHlZrK8/y3+gm1Z3EYWIRyesXPoK00O7M7pBRNsnm4nP/iCUXMwxpAK20iF
+1Kvllwd9FzUm7e0Q6evt2D3Ax4RMDm9OcnecpYiFpRfC7NdbGLs9N12pVMq
vuYA6d0hp4GcAqdh0CPzlSxE5P61HEKe2AmkQXbQrLKpIljL7w8wjeSQ1tJp
qQbfjzw/HHg7UdC7h6gEhd+TPeb9HSc6z9LzpOEMqyRk+mVaefyqB7xlZ9GB
seeEjYSdXs390oX7RavVqR+zZhi+Dn21iUG7L8oswYZFisZHMQeO6F/Eb5zz
OXYIYKCWP4QkCjmN3a8GG/463a2QER8cPRckqPDzkGNY1PnTO1ZiuMBAFH/+
bksitbLRl8uTYlnLspLAAOqJK9aUTt4uvXv3budiivcTENn2Zfnjv5Tl+/fv
m/jFNoaFwIynRfLVdD7J9fPnKagOOSwDvPLVRTo9T6/TiX65k05LjH36Cq/4
ifv4OL+E436H+wtilX76FYarligxFDPY4ql+fljAuyDUTO7G+Y1++BIj3iYY
vjS8iD+bv830o11kXyD2pOUModj14xcwrmQPgYpm+pFY3JNnKYY6j92TxY//
ZZg8Q2NbPk3dBC6yvEy+nv74Xyen2fAiOSDTSOYm+Cwbw6H4+sd/QTArNxGY
AuYTvM0nbs7Px+m8xA9nfnCHc2Ca32ClkezOjO4M38bNKf5UXJspD5P98Xxy
7sYG/GAKenHy65TuYP14DwNFk+fjLHej3Jvmb+ETYMymGxDhn6PXYmo2/pb2
vYQvMIoQxqDf7eN5S17k8/I6Tf3yHKZnKXoufvy/Jq0XP/7fV9mfPLWwhwON
VjmWfvNrcw3K6CsgHuA0hrbGmGKDxOOGmI6v0xGcqYMf//PUN3yYok/qIJuO
zbPc6AEK/8MLdKL6Zfvxv9xkk0lyCIs0H14UM7MmQ7zBQWAfu/m8zIFZZuPk
EP+djsrCUzKcomuksKP0Ypz8+sf/CuLkxBDC/5hiYMCf/pQiCR/B3vt1/XV+
mRxBe1hyJ+wGP52exWcIPv3xX4Jj9OviAj+ew2XiWn0xH93kmPqdz9zafDXF
83yUXxWl3+gU5NBxep0cXd6VF+O7NHM09W06xmKi+MXYU9qBFFRA7RMT6ou3
bunhtoIPpvP8rW8iLy8msPrJ0RxE8Sn83x/SkO5w5S6DBSFXV3Kcj4uhW3n0
eyXHWM9walcJFunbLB+Ps9ks86+P8//nP6bJt/P//n+AFPzf/xc38nQ+Tr4r
KCuJPgNqpqXK8uQ3NKqlMwLtQsFVg/VFfqVrf8IiBbk9Z1RmrFRPEEVhorbX
Tr7LyMqcSeEcwqkbZacShsSwlIhIHO083Q+YbCYRulj6JxxKHkYx4m0M5+Iu
GkfOThCuvUlDIrj9YvqWTYUYEiZCPeEWStQwiDcYmxqDfX3T6/Q6aE0hKPKj
/Wf7R61v0D3SOJ/ilUEQq9TW5mpvbbWH+dKYSXg2np+dLf2/xGpO6kwMAwA=
</rfc> </rfc>
 End of changes. 333 change blocks. 
5818 lines changed or deleted 2821 lines changed or added

This html diff was produced by rfcdiff 1.48.