rfc9529.original.xml   rfc9529.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.40 (Ruby 3.0. <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" submissionType
2) --> ="IETF" category="info" consensus="true" docName="draft-ietf-lake-traces-09" num
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft ber="9529" tocDepth="2" tocInclude="true" sortRefs="true" symRefs="true" updates
-ietf-lake-traces-08" category="info" submissionType="IETF" tocDepth="2" tocIncl ="" obsoletes="" xml:lang="en" version="3">
ude="true" sortRefs="true" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.18.0 --> <!-- xml2rfc v2v3 conversion 3.18.0 -->
<front> <front>
<title>Traces of EDHOC</title> <title abbrev="Traces of EDHOC">Traces of Ephemeral Diffie-Hellman Over COSE
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-traces-08"/> (EDHOC)</title>
<seriesInfo name="RFC" value="9529"/>
<author initials="G." surname="Selander" fullname="Göran Selander"> <author initials="G." surname="Selander" fullname="Göran Selander">
<organization>Ericsson</organization> <organization>Ericsson</organization>
<address> <address>
<postal> <postal>
<country>Sweden</country> <country>Sweden</country>
</postal> </postal>
<email>goran.selander@ericsson.com</email> <email>goran.selander@ericsson.com</email>
</address> </address>
</author> </author>
<author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson" > <author initials="J" surname="Preuß Mattsson" fullname="John Preuß Mattsson" >
skipping to change at line 43 skipping to change at line 44
<author initials="M" surname="Serafin" fullname="Marek Serafin"> <author initials="M" surname="Serafin" fullname="Marek Serafin">
<organization>ASSA ABLOY</organization> <organization>ASSA ABLOY</organization>
<address> <address>
<postal> <postal>
<country>Poland</country> <country>Poland</country>
</postal> </postal>
<email>marek.serafin@assaabloy.com</email> <email>marek.serafin@assaabloy.com</email>
</address> </address>
</author> </author>
<author initials="M" surname="Tiloca" fullname="Marco Tiloca"> <author initials="M" surname="Tiloca" fullname="Marco Tiloca">
<organization>RISE</organization> <organization>RISE AB</organization>
<address> <address>
<postal> <postal>
<street>Isafjordsgatan 22</street>
<code>164 40</code>
<city>Kista</city>
<country>Sweden</country> <country>Sweden</country>
</postal> </postal>
<email>marco.tiloca@ri.se</email> <email>marco.tiloca@ri.se</email>
</address> </address>
</author> </author>
<author initials="M" surname="Vučinić" fullname="Mališa Vučinić"> <author initials="M" surname="Vučinić" fullname="Mališa Vučinić">
<organization>Inria</organization> <organization>Inria</organization>
<address> <address>
<postal> <postal>
<country>France</country> <country>France</country>
</postal> </postal>
<email>malisa.vucinic@inria.fr</email> <email>malisa.vucinic@inria.fr</email>
</address> </address>
</author> </author>
<date year="2023" month="September" day="22"/> <date year="2024" month="March"/>
<area>Security</area> <area>sec</area>
<workgroup>LAKE Working Group</workgroup> <workgroup>lake</workgroup>
<keyword>Internet-Draft</keyword> <keyword>test vector</keyword>
<abstract> <keyword>lightweight</keyword>
<?line 109?> <keyword>authenticated key exchange</keyword>
<keyword>LAKE</keyword>
<keyword>AKE</keyword>
<t>This document contains some example traces of Ephemeral Diffie-Hellman Over C <abstract>
OSE (EDHOC).</t> <t>This document contains example traces of Ephemeral Diffie-Hellman Over COSE (
EDHOC).</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<?line 113?>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>EDHOC <xref target="I-D.ietf-lake-edhoc"/> is a lightweight authenticat ed key exchange protocol designed for highly constrained settings. This document contains annotated traces of EDHOC sessions, with input, output, and intermedia te processing results to simplify testing of implementations. The traces have be en verified by two independent implementations.</t> <t>EDHOC <xref target="RFC9528"/> is a lightweight authenticated key excha nge protocol designed for highly constrained settings. This document contains an notated traces of EDHOC sessions with input, output, and intermediate processing results to simplify testing of implementations. The traces have been verified b y two independent implementations.</t>
<section anchor="setup"> <section anchor="setup">
<name>Setup</name> <name>Setup</name>
<t>EDHOC is run between an Initiator (I) and a Responder (R). The privat e/public key pairs and credentials of the Initiator and the Responder required t o produce the protocol messages are shown in the traces when needed for the calc ulations.</t> <t>EDHOC is run between an Initiator (I) and a Responder (R). The privat e/public key pairs and credentials of the Initiator and the Responder required t o produce the protocol messages are shown in the traces when needed for the calc ulations.</t>
<t>EDHOC messages and intermediate results are encoded in CBOR <xref tar get="RFC8949"/> and can therefore be displayed in CBOR diagnostic notation using , e.g., the CBOR playground <xref target="CborMe"/>, which makes them easy to pa rse for humans. Credentials can also be encoded in CBOR, e.g. CBOR Web Tokens (C WT) <xref target="RFC8392"/>.</t> <t>EDHOC messages and intermediate results are encoded in Concise Binary Object Representation (CBOR) <xref target="RFC8949"/> and can therefore be disp layed in CBOR diagnostic notation using, e.g., the CBOR playground <xref target= "CborMe"/>, which makes them easy to parse for humans. Credentials can also be e ncoded in CBOR, e.g., CBOR Web Tokens (CWTs) <xref target="RFC8392"/>.</t>
<t>The document contains two traces:</t> <t>The document contains two traces:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<xref target="sec-trace-1"/> - Authentication with signature keys id entified by the hash value of the X.509 certificates (provided in <xref target=" certs"/>). The endpoints use EdDSA <xref target="RFC8032"/> for authentication a nd X25519 <xref target="RFC7748"/> for ephemeral-ephemeral Diffie-Hellman key ex change.</li> <xref target="sec-trace-1"/> - Authentication with signature keys id entified by the hash value of the X.509 certificates (provided in <xref target=" certs"/>). The endpoints use Edwards-curve Digital Signature Algorithm (EdDSA) < xref target="RFC8032"/> for authentication and X25519 <xref target="RFC7748"/> f or ephemeral-ephemeral Diffie-Hellman (DH) key exchange.</li>
<li> <li>
<xref target="sec-trace-2"/> - Authentication with static Diffie-Hel lman keys identified by short key identifiers labelling CWT Claim Sets (CCSs) <x ref target="RFC8392"/>. The endpoints use NIST P-256 <xref target="SP-800-186"/> for both ephemeral-ephemeral and static-ephemeral Diffie-Hellman key exchange. This trace also illustrates the cipher suite negotiation, and provides an exampl e of low protocol overhead, with messages sizes of (39, 45, 19) bytes.</li> <xref target="sec-trace-2"/> - Authentication with static Diffie-Hel lman keys identified by short key identifiers labeling CWT Claims Sets (CCSs) <x ref target="RFC8392"/>. The endpoints use NIST P-256 <xref target="SP-800-186"/ > for both ephemeral-ephemeral and ephemeral-static DH key exchange. This trace also illustrates the cipher suite negotiation and provides an example of low pro tocol overhead with messages sizes of 39, 45, and 19 bytes.</li>
</ul> </ul>
<t>Examples of invalid EDHOC messages are found in <xref target="sec-tra ce-invalid"/>.</t> <t>Examples of invalid EDHOC messages are found in <xref target="sec-tra ce-invalid"/>.</t>
<t>NOTE 1. The same name is used for hexadecimal byte strings and their <ol type="Note %d.">
CBOR encodings. The traces contain both the raw byte strings and the correspondi <li>The same name is used for hexadecimal byte strings and their CBOR en
ng CBOR encoded data items.</t> codings. The traces contain both the raw byte strings and the corresponding CBOR
<t>NOTE 2. If not clear from the context, remember that CBOR sequences a -encoded data items.</li>
nd CBOR arrays assume CBOR encoded data items as elements.</t> <li>If not clear from the context, remember that CBOR sequences and CBOR
<t>NOTE 3. When the protocol transporting EDHOC messages does not inhere arrays assume CBOR-encoded data items as elements.</li>
ntly provide correlation across all messages, like CoAP <xref target="RFC7252"/> <li>When the protocol transporting EDHOC messages does not inherently pr
, then some messages typically are prepended with connection identifiers and pot ovide correlation across all messages, then some messages are typically prepende
entially a message_1 indicator (see Sections <xref target="I-D.ietf-lake-edhoc" d with connection identifiers and potentially a message_1 indicator (see Section
section="3.4.1" sectionFormat="bare"/> and <xref target="I-D.ietf-lake-edhoc" se <xref target="RFC9528" section="3.4.1" sectionFormat="bare"/> and Appendix <xre
ction="A.2" sectionFormat="bare"/> of <xref target="I-D.ietf-lake-edhoc"/>). Tho f target="RFC9528" section="A.2" sectionFormat="bare"/> of <xref target="RFC9528
se bytes are not included in the traces in this document.</t> "/>). Those bytes are not included in the traces in this document.</li>
</ol>
</section> </section>
<section anchor="term"> <section anchor="term">
<name>Terminology and Requirements Language</name> <name>Requirements Language</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL <t>
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
"MAY", and "OPTIONAL" in this document are to be interpreted as IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
only when, they RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
appear in all capitals, as shown here. "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
<?line -6?> be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t> </t>
</section> </section>
</section> </section>
<section anchor="sec-trace-1"> <section anchor="sec-trace-1">
<name>Authentication with Signatures, X.509 Certificates Identified by 'x5 <name>Authentication with Signatures, X.509 Identified by 'x5t'</name>
t'</name> <t>In this example, the Initiator (I) and Responder (R) are authenticated
<t>In this example the Initiator (I) and Responder (R) are authenticated w with digital signatures (METHOD = 0). Both the Initiator and the Responder suppo
ith digital signatures (METHOD = 0). Both the Initiator and the Responder suppor rt cipher suite 0, which determines the algorithms:</t>
t cipher suite 0, which determines the algorithms:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>EDHOC AEAD algorithm = AES-CCM-16-64-128</li> <li>EDHOC AEAD algorithm = AES-CCM-16-64-128</li>
<li>EDHOC hash algorithm = SHA-256</li> <li>EDHOC hash algorithm = SHA-256</li>
<li>EDHOC MAC length in bytes (Static DH) = 8</li> <li>EDHOC Message Authentication Code (MAC) length in bytes (Static DH) = 8</li>
<li>EDHOC key exchange algorithm (ECDH curve) = X25519</li> <li>EDHOC key exchange algorithm (ECDH curve) = X25519</li>
<li>EDHOC signature algorithm = EdDSA</li> <li>EDHOC signature algorithm = EdDSA</li>
<li>Application AEAD algorithm = AES-CCM-16-64-128</li> <li>application AEAD algorithm = AES-CCM-16-64-128</li>
<li>Application hash algorithm = SHA-256</li> <li>application hash algorithm = SHA-256</li>
</ul> </ul>
<t>The public keys are represented with X.509 certificates identified by t he COSE header parameter 'x5t'.</t> <t>The public keys are represented with X.509 certificates identified by t he CBOR Object Signing and Encryption (COSE) header parameter 'x5t'.</t>
<section anchor="message1"> <section anchor="message1">
<name>message_1</name> <name>message_1</name>
<t>Both endpoints are authenticated with signatures, i.e., METHOD = 0:</ t> <t>Both endpoints are authenticated with signatures, i.e., METHOD = 0:</ t>
<artwork align="left"><![CDATA[ <artwork align="left"><![CDATA[
METHOD (CBOR Data Item) (1 byte) METHOD (CBOR Data Item) (1 byte)
00 00
]]></artwork> ]]></artwork>
<t>The Initiator selects cipher suite 0. A single cipher suite is encode d as an int:</t> <t>The Initiator selects cipher suite 0. A single cipher suite is encode d as an int:</t>
<artwork><![CDATA[ <artwork><![CDATA[
SUITES_I (CBOR Data Item) (1 byte) SUITES_I (CBOR Data Item) (1 byte)
skipping to change at line 147 skipping to change at line 155
G_X (Raw Value) (32 bytes) G_X (Raw Value) (32 bytes)
31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 63 2a 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 63 2a
48 81 a1 c0 70 1e 23 7f 04 48 81 a1 c0 70 1e 23 7f 04
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's ephemeral public key Initiator's ephemeral public key
G_X (CBOR Data Item) (34 bytes) G_X (CBOR Data Item) (34 bytes)
58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 ef 32
63 2a 48 81 a1 c0 70 1e 23 7f 04 63 2a 48 81 a1 c0 70 1e 23 7f 04
]]></artwork> ]]></artwork>
<t>The Initiator selects its connection identifier C_I to be the byte st ring 0x2d, which since it is represented by the 1-byte CBOR int -14 is encoded a s 0x2d:</t> <t>The Initiator selects its connection identifier C_I to be the byte st ring 0x2d, which is encoded as 0x2d since it is represented by the 1-byte CBOR i nt -14:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte) C_I (Raw Value) (1 byte)
2d 2d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte) C_I (CBOR Data Item) (1 byte)
2d 2d
]]></artwork> ]]></artwork>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EAD_1 (CBOR Sequence) (0 bytes) EAD_1 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>The Initiator constructs message_1:</t> <t>The Initiator constructs message_1:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_1 = message_1 =
( (
0, 0,
0, 0,
h'31f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a48 h'31f82c7b5b9cbbf0f194d913cc12ef1532d328ef32632a48
81a1c0701e237f04', 81a1c0701e237f04',
-14 -14
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
message_1 (CBOR Sequence) (37 bytes) message_1 (CBOR Sequence) (37 bytes)
00 00 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28 00 00 58 20 31 f8 2c 7b 5b 9c bb f0 f1 94 d9 13 cc 12 ef 15 32 d3 28
ef 32 63 2a 48 81 a1 c0 70 1e 23 7f 04 2d ef 32 63 2a 48 81 a1 c0 70 1e 23 7f 04 2d
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="message2"> <section anchor="message2">
<name>message_2</name> <name>message_2</name>
skipping to change at line 201 skipping to change at line 209
G_Y (Raw Value) (32 bytes) G_Y (Raw Value) (32 bytes)
dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 7e 62 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 7e 62
3a 36 0b a4 80 b9 b2 9d 1c 3a 36 0b a4 80 b9 b2 9d 1c
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's ephemeral public key Responder's ephemeral public key
G_Y (CBOR Data Item) (34 bytes) G_Y (CBOR Data Item) (34 bytes)
58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 58 20 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38
7e 62 3a 36 0b a4 80 b9 b2 9d 1c 7e 62 3a 36 0b a4 80 b9 b2 9d 1c
]]></artwork> ]]></artwork>
<t>The Responder selects its connection identifier C_R to be the byte st ring 0x18, which since it is not represented as a 1-byte CBOR int is encoded as h'18' = 0x4118:</t> <t>The Responder selects its connection identifier C_R to be the byte st ring 0x18, which is encoded as h'18' = 0x4118 since it is not represented by a 1 -byte CBOR int:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (Raw Value) (1 byte) C_R (Raw Value) (1 byte)
18 18
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (CBOR Data Item) (2 bytes) C_R (CBOR Data Item) (2 bytes)
41 18 41 18
]]></artwork> ]]></artwork>
<t>The transcript hash TH_2 is calculated using the EDHOC hash algorithm :</t> <t>The transcript hash TH_2 is calculated using the EDHOC hash algorithm :</t>
<t>TH_2 = H( G_Y, H(message_1) )</t> <t>TH_2 = H( G_Y, H(message_1) )</t>
<artwork><![CDATA[ <artwork><![CDATA[
H(message_1) (Raw Value) (32 bytes) H(message_1) (Raw Value) (32 bytes)
c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64 c1 65 d6 a9 9d 1b ca fa ac 8d bf 2b 35 2a 6f 7d 71 a3 0b 43 9c 9d 64
d3 49 a2 38 48 03 8e d1 6b d3 49 a2 38 48 03 8e d1 6b
]]></artwork> ]]></artwork>
skipping to change at line 242 skipping to change at line 250
<artwork><![CDATA[ <artwork><![CDATA[
TH_2 (Raw Value) (32 bytes) TH_2 (Raw Value) (32 bytes)
c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a
06 52 ca e6 6c 90 61 68 8d 06 52 ca e6 6c 90 61 68 8d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_2 (CBOR Data Item) (34 bytes) TH_2 (CBOR Data Item) (34 bytes)
58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a
79 6a 06 52 ca e6 6c 90 61 68 8d 79 6a 06 52 ca e6 6c 90 61 68 8d
]]></artwork> ]]></artwork>
<t>PRK_2e is specified in <xref section="4.1.1.1" sectionFormat="of" tar <t>PRK_2e is specified in <xref section="4.1.1.1" sectionFormat="of" tar
get="I-D.ietf-lake-edhoc"/>.</t> get="RFC9528"/>.</t>
<t>First, the ECDH shared secret G_XY is computed from G_X and Y, or G_Y <t>First, the Elliptic Curve Diffie-Hellman (ECDH) shared secret G_XY is
and X:</t> computed from G_X and Y or G_Y and X:</t>
<artwork><![CDATA[ <artwork><![CDATA[
G_XY (Raw Value) (ECDH shared secret) (32 bytes) G_XY (Raw Value) (ECDH shared secret) (32 bytes)
e5 cd f3 a9 86 cd ac 5b 7b f0 46 91 e2 b0 7c 08 e7 1f 53 99 8d 8f 84 e5 cd f3 a9 86 cd ac 5b 7b f0 46 91 e2 b0 7c 08 e7 1f 53 99 8d 8f 84
2b 7c 3f b4 d8 39 cf 7b 28 2b 7c 3f b4 d8 39 cf 7b 28
]]></artwork> ]]></artwork>
<t>Then, PRK_2e is calculated using EDHOC_Extract() determined by the ED HOC hash algorithm:</t> <t>Then, PRK_2e is calculated using EDHOC_Extract(), which is determined by the EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_2e = EDHOC_Extract( salt, G_XY ) = PRK_2e = EDHOC_Extract( salt, G_XY )
= HMAC-SHA-256( salt, G_XY ) = HMAC-SHA-256( salt, G_XY )
]]></artwork> ]]></artwork>
<t>where salt is TH_2:</t> <t>where salt is TH_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
salt (Raw Value) (32 bytes) salt (Raw Value) (32 bytes)
c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a
06 52 ca e6 6c 90 61 68 8d 06 52 ca e6 6c 90 61 68 8d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_2e (Raw Value) (32 bytes) PRK_2e (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73 d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da bf 2c 24 0a fa 7b a8 04 da
]]></artwork> ]]></artwork>
<t>Since METHOD = 0, the Responder authenticates using signatures. Since the selected cipher suite is 0, the EDHOC signature algorithm is EdDSA.</t> <t>Since METHOD = 0, the Responder authenticates using signatures. Since the selected cipher suite is 0, the EDHOC signature algorithm is EdDSA.</t>
<t>The Responder's signature key pair using EdDSA:</t> <t>The Responder's signature key pair uses EdDSA:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's private authentication key Responder's private authentication key
SK_R (Raw Value) (32 bytes) SK_R (Raw Value) (32 bytes)
ef 14 0f f9 00 b0 ab 03 f0 c0 8d 87 9c bb d4 b3 1e a7 1e 6e 7e e7 ff ef 14 0f f9 00 b0 ab 03 f0 c0 8d 87 9c bb d4 b3 1e a7 1e 6e 7e e7 ff
cb 7e 79 55 77 7a 33 27 99 cb 7e 79 55 77 7a 33 27 99
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's public authentication key Responder's public authentication key
PK_R (Raw Value) (32 bytes) PK_R (Raw Value) (32 bytes)
a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62
c0 0b 3a c5 5d e9 2f 93 59 c0 0b 3a c5 5d e9 2f 93 59
]]></artwork> ]]></artwork>
<t>PRK_3e2m is specified in <xref section="4.1.1.2" sectionFormat="of" t <t>PRK_3e2m is specified in <xref section="4.1.1.2" sectionFormat="of" t
arget="I-D.ietf-lake-edhoc"/>.</t> arget="RFC9528"/>.</t>
<t>Since the Responder authenticates with signatures PRK_3e2m = PRK_2e.< <t>Since the Responder authenticates with signatures, PRK_3e2m = PRK_2e.
/t> </t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_3e2m (Raw Value) (32 bytes) PRK_3e2m (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73 d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da bf 2c 24 0a fa 7b a8 04 da
]]></artwork> ]]></artwork>
<t>The Responder constructs the remaining input needed to calculate MAC_ 2:</t> <t>The Responder constructs the remaining input needed to calculate MAC_ 2:</t>
<t>MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )</t> <t>MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )</t>
<t>context_2 = &lt;&lt; ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t> <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</ t>
<t>CRED_R is identified by a 64-bit hash:</t> <t>CRED_R is identified by a 64-bit hash:</t>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_R = ID_CRED_R =
{ {
34 : [-15, h'79f2a41b510c1f9b'] 34 : [-15, h'79f2a41b510c1f9b']
} }
]]></artwork> ]]></artwork>
<t>where the COSE header value 34 ('x5t') indicates a hash of an X.509 c ertficate, <t>where the COSE header value 34 ('x5t') indicates a hash of an X.509 c ertificate,
and the COSE algorithm -15 indicates the hash algorithm SHA-256 truncated to 64 bits.</t> and the COSE algorithm -15 indicates the hash algorithm SHA-256 truncated to 64 bits.</t>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_R (CBOR Data Item) (14 bytes) ID_CRED_R (CBOR Data Item) (14 bytes)
a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b
]]></artwork> ]]></artwork>
<t>CRED_R is a CBOR byte string of the DER encoding of the X.509 certifi cate in <xref target="resp-cer"/>:</t> <t>CRED_R is a CBOR byte string of the DER encoding of the X.509 certifi cate in <xref target="resp-cer"/>:</t>
<artwork><![CDATA[ <artwork><![CDATA[
CRED_R (Raw Value) (241 bytes) CRED_R (Raw Value) (241 bytes)
30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65
70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f
skipping to change at line 335 skipping to change at line 343
db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0
0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea
b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa
f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65
d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork> ]]></artwork>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EAD_2 (CBOR Sequence) (0 bytes) EAD_2 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>context_2 = &lt;&lt; ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t> <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</ t>
<artwork><![CDATA[ <artwork><![CDATA[
context_2 (CBOR Sequence) (291 bytes) context_2 (CBOR Sequence) (293 bytes)
a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40 5c 15 4c 56 74 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40 5c 15 4c
66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c 90 61 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c
68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4
06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48
20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33
30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30
22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73
6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70
00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0
62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7
01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32
ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a
95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
context_2 (CBOR byte string) (294 bytes) context_2 (CBOR byte string) (296 bytes)
59 01 23 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40 5c 15 59 01 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40
4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52
6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62
c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12
48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 45 44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32
33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 32 30 33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30
30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 30 30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20
73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 52 65 73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03
70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a 2b 65 70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac
a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03
b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69
32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 87 b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18
4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 37 eb 4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork>
<t>MAC_2 is computed through EDHOC_Expand() using the EDHOC hash algorit
hm (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>):</t>
<artwork><![CDATA[
MAC_2 = HKDF-Expand( PRK_3e2m, info, mac_length_2 )
]]></artwork>
<t>where</t>
<artwork><![CDATA[
info = ( 2, context_2, mac_length_2 )
]]></artwork> ]]></artwork>
<t>MAC_2 is computed through EDHOC_Expand() using the EDHOC hash algorit
hm, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:
</t>
<t>MAC_2 = HKDF-Expand(PRK_3e2m, info, mac_length_2), where</t>
<t>info = ( 2, context_2, mac_length_2 )</t>
<t>Since METHOD = 0, mac_length_2 is given by the EDHOC hash algorithm.< /t> <t>Since METHOD = 0, mac_length_2 is given by the EDHOC hash algorithm.< /t>
<t>info for MAC_2 is:</t> <t>info for MAC_2 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
2, 2,
h'a11822822e4879f2a41b510c1f9b5820c6405c154c567466 h'4118a11822822e4879f2a41b510c1f9b5820c6405c154c56
ab1df20369500e540e9f14bd3a796a0652cae66c9061688d 7466ab1df20369500e540e9f14bd3a796a0652cae66c9061
58f13081ee3081a1a003020102020462319ec4300506032b 688d58f13081ee3081a1a003020102020462319ec4300506
6570301d311b301906035504030c124544484f4320526f6f 032b6570301d311b301906035504030c124544484f432052
742045643235353139301e170d3232303331363038323433 6f6f742045643235353139301e170d323230333136303832
365a170d3239313233313233303030305a30223120301e06 3433365a170d3239313233313233303030305a3022312030
035504030c174544484f4320526573706f6e646572204564 1e06035504030c174544484f4320526573706f6e64657220
3235353139302a300506032b6570032100a1db47b9518485 45643235353139302a300506032b6570032100a1db47b951
4ad12a0c1a354e418aace33aa0f2c662c00b3ac55de92f93 84854ad12a0c1a354e418aace33aa0f2c662c00b3ac55de9
59300506032b6570034100b723bc01eab0928e8b2b6c98de 2f9359300506032b6570034100b723bc01eab0928e8b2b6c
19cc3823d46e7d6987b032478fecfaf14537a1af14cc8be8 98de19cc3823d46e7d6987b032478fecfaf14537a1af14cc
29c6b73044101837eb4abc949565d86dce51cfae52ab82c1 8be829c6b73044101837eb4abc949565d86dce51cfae52ab
52cb02', 82c152cb02',
32 32
) )
]]></artwork> ]]></artwork>
<t>where the last value is the output size of the EDHOC hash algorithm i n bytes.</t> <t>where the last value is the output size of the EDHOC hash algorithm i n bytes.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for MAC_2 (CBOR Sequence) (297 bytes) info for MAC_2 (CBOR Sequence) (299 bytes)
02 59 01 23 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6 40 5c 02 59 01 25 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 20 c6
15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 79 6a 06
e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04
9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 62 31 9e c4 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c
44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 12 45 44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d
30 33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 32 32 30 33 31 36 30 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33
30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 30 30 30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43
65 73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 20 52 65 73 70 6f 6e 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06
65 70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 03 2b 65 70 03 21 00 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a
3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70
00 b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 03 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d
b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 69 87 b0 32 47 8f ec fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10
eb 4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 18 20 18 37 eb 4a bc 94 95 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_2 (Raw Value) (32 bytes) MAC_2 (Raw Value) (32 bytes)
36 9c a4 39 2c 83 ed 63 d6 1a d2 18 42 0e a3 67 06 00 84 78 d5 bc 30 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6 62 3c d6 6c d1 7a 72 72 07 2b
49 fb 8c 59 42 44 4b 13 33 fe 5b 60 2f fe 30 7e e0 e9
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_2 (CBOR Data Item) (34 bytes) MAC_2 (CBOR Data Item) (34 bytes)
58 20 36 9c a4 39 2c 83 ed 63 d6 1a d2 18 42 0e a3 67 06 00 84 78 d5 58 20 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6 62 3c d6 6c d1 7a 72 72
bc 30 49 fb 8c 59 42 44 4b 13 33 07 2b fe 5b 60 2f fe 30 7e e0 e9
]]></artwork> ]]></artwork>
<t>Since METHOD = 0, Signature_or_MAC_2 is the 'signature' of the COSE_S ign1 object.</t> <t>Since METHOD = 0, Signature_or_MAC_2 is the 'signature' of the COSE_S ign1 object.</t>
<t>The Responder constructs the message to be signed:</t> <t>The Responder constructs the message to be signed:</t>
<artwork><![CDATA[ <artwork><![CDATA[
[ "Signature1", << ID_CRED_R >>, [
<< TH_2, CRED_R, ? EAD_2 >>, MAC_2 ] = "Signature1",
<< ID_CRED_R >>,
<< TH_2, CRED_R, ? EAD_2 >>,
MAC_2
] =
[ [
"Signature1", "Signature1",
h'a11822822e4879f2a41b510c1f9b', h'a11822822e4879f2a41b510c1f9b',
h'5820c6405c154c567466ab1df20369500e540e9f14bd3a79 h'5820c6405c154c567466ab1df20369500e540e9f14bd3a79
6a0652cae66c9061688d58f13081ee3081a1a00302010202 6a0652cae66c9061688d58f13081ee3081a1a00302010202
0462319ec4300506032b6570301d311b301906035504030c 0462319ec4300506032b6570301d311b301906035504030c
124544484f4320526f6f742045643235353139301e170d32 124544484f4320526f6f742045643235353139301e170d32
32303331363038323433365a170d32393132333132333030 32303331363038323433365a170d32393132333132333030
30305a30223120301e06035504030c174544484f43205265 30305a30223120301e06035504030c174544484f43205265
73706f6e6465722045643235353139302a300506032b6570 73706f6e6465722045643235353139302a300506032b6570
032100a1db47b95184854ad12a0c1a354e418aace33aa0f2 032100a1db47b95184854ad12a0c1a354e418aace33aa0f2
c662c00b3ac55de92f9359300506032b6570034100b723bc c662c00b3ac55de92f9359300506032b6570034100b723bc
01eab0928e8b2b6c98de19cc3823d46e7d6987b032478fec 01eab0928e8b2b6c98de19cc3823d46e7d6987b032478fec
faf14537a1af14cc8be829c6b73044101837eb4abc949565 faf14537a1af14cc8be829c6b73044101837eb4abc949565
d86dce51cfae52ab82c152cb02', d86dce51cfae52ab82c152cb02',
h'369ca4392c83ed63d61ad218420ea36706008478d5bc3049 h'862a7e5ef147f9a5f4c512e1b6623cd66cd17a7272072bfe
fb8c5942444b1333' 5b602ffe307ee0e9'
] ]
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Message to be signed 2 (CBOR Data Item) (341 bytes) Message to be signed in message_2 (CBOR Data Item) (341 bytes)
84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 79 f2 a4 1b 84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 79 f2 a4 1b
51 0c 1f 9b 59 01 15 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 51 0c 1f 9b 59 01 15 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50
0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee 0e 54 0e 9f 14 bd 3a 79 6a 06 52 ca e6 6c 90 61 68 8d 58 f1 30 81 ee
30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65 70 30 1d 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 03 2b 65 70 30 1d
31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45
64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 33 36 5a 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 33 36 5a
17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03
55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 64 65 72 20 45 64 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 64 65 72 20 45 64
32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 a1 db 47 b9 51 84 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 a1 db 47 b9 51 84
85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 c0 0b 3a c5 5d e9
2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 ea b0 92 8e 8b 2b
6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa f1 45 37 a1 af 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec fa f1 45 37 a1 af
14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 d8 6d ce 51 cf 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 65 d8 6d ce 51 cf
ae 52 ab 82 c1 52 cb 02 58 20 36 9c a4 39 2c 83 ed 63 d6 1a d2 18 42 ae 52 ab 82 c1 52 cb 02 58 20 86 2a 7e 5e f1 47 f9 a5 f4 c5 12 e1 b6
0e a3 67 06 00 84 78 d5 bc 30 49 fb 8c 59 42 44 4b 13 33 62 3c d6 6c d1 7a 72 72 07 2b fe 5b 60 2f fe 30 7e e0 e9
]]></artwork> ]]></artwork>
<t>The Responder signs using the private authentication key SK_R</t> <t>The Responder signs using the private authentication key SK_R.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_2 (Raw Value) (64 bytes) Signature_or_MAC_2 (Raw Value) (64 bytes)
41 e6 91 27 5b 84 04 24 25 5a cb 87 e6 33 d7 5d da 71 50 2d a2 e3 da c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3
5f ce ee c4 e3 f7 60 74 48 6f 87 e6 6f 2a ca a1 bb d4 8c e0 e6 6a 5d 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac f1 96
64 38 91 54 48 2f 9a 5e 57 22 70 63 31 59 f2 b1 7e 0e 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_2 (CBOR Data Item) (66 bytes) Signature_or_MAC_2 (CBOR Data Item) (66 bytes)
58 40 41 e6 91 27 5b 84 04 24 25 5a cb 87 e6 33 d7 5d da 71 50 2d a2 58 40 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96
e3 da 5f ce ee c4 e3 f7 60 74 48 6f 87 e6 6f 2a ca a1 bb d4 8c e0 e6 8c c3 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac
6a 5d 64 38 91 54 48 2f 9a 5e 57 22 70 63 31 59 f2 b1 7e 0e f1 96 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09
]]></artwork> ]]></artwork>
<t>The Responder constructs PLAINTEXT_2:</t> <t>The Responder constructs PLAINTEXT_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_2 = PLAINTEXT_2 =
( (
C_R, C_R,
ID_CRED_R / bstr / -24..23, ID_CRED_R / bstr / -24..23,
Signature_or_MAC_2, Signature_or_MAC_2,
? EAD_2 ? EAD_2
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_2 (CBOR Sequence) (82 bytes) PLAINTEXT_2 (CBOR Sequence) (82 bytes)
41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 40 41 e6 91 27 5b 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 51 0c 1f 9b 58 40 c3 b5 bd 44 d1
84 04 24 25 5a cb 87 e6 33 d7 5d da 71 50 2d a2 e3 da 5f ce ee c4 e3 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11 c5 72 a1 96 8c c3 62 9b 50 5f 98
f7 60 74 48 6f 87 e6 6f 2a ca a1 bb d4 8c e0 e6 6a 5d 64 38 91 54 48 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5 dd 5d 89 ac f1 96 6a ea 07 02 2b
2f 9a 5e 57 22 70 63 31 59 f2 b1 7e 0e 48 cd c9 98 70 eb c4 03 74 e8 fa 6e 09
]]></artwork> ]]></artwork>
<t>The input needed to calculate KEYSTREAM_2 is defined in <xref section ="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, using EDHOC_Expand() with the EDHOC hash algorithm:</t> <t>The input needed to calculate KEYSTREAM_2 is defined in <xref section ="4.1.2" sectionFormat="of" target="RFC9528"/>, using EDHOC_Expand() with the ED HOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) = KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length )
= HKDF-Expand( PRK_2e, info, plaintext_length ) = HKDF-Expand( PRK_2e, info, plaintext_length )
]]></artwork> ]]></artwork>
<t>where plaintext_length is the length in bytes of PLAINTEXT_2 in bytes , and info for KEYSTREAM_2 is:</t> <t>where plaintext_length is the length in bytes of PLAINTEXT_2 in bytes and info for KEYSTREAM_2 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
0, 0,
h'c6405c154c567466ab1df20369500e540e9f14bd3a796a06 h'c6405c154c567466ab1df20369500e540e9f14bd3a796a06
52cae66c9061688d', 52cae66c9061688d',
82 82
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of PLAINTEXT_2.</t> <t>where the last value is the length in bytes of PLAINTEXT_2.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for KEYSTREAM_2 (CBOR Sequence) (37 bytes) info for KEYSTREAM_2 (CBOR Sequence) (37 bytes)
00 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 00 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd
3a 79 6a 06 52 ca e6 6c 90 61 68 8d 18 52 3a 79 6a 06 52 ca e6 6c 90 61 68 8d 18 52
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
KEYSTREAM_2 (Raw Value) (82 bytes) KEYSTREAM_2 (Raw Value) (82 bytes)
fd 3e 7c 3f 2d 6b ee 64 3d 3c 9d 2f 28 47 03 5d 73 e2 ec b0 f8 db 5c fd 3e 7c 3f 2d 6b ee 64 3d 3c 9d 2f 28 47 03 5d 73 e2 ec b0 f8 db 5c
d1 c6 85 4e 24 89 6a f2 11 88 b2 c4 34 4e 68 9e c2 98 42 83 d9 fb c6 d1 c6 85 4e 24 89 6a f2 11 88 b2 c4 34 4e 68 9e c2 98 42 83 d9 fb c6
9c e1 c5 db 10 dc ff f2 4d f9 a4 9a 04 a9 40 58 27 7b c7 fa 9a d6 c6 9c e1 c5 db 10 dc ff f2 4d f9 a4 9a 04 a9 40 58 27 7b c7 fa 9a d6 c6
b1 94 ab 32 8b 44 5e b0 80 49 0c d7 86 b1 94 ab 32 8b 44 5e b0 80 49 0c d7 86
]]></artwork> ]]></artwork>
<t>The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and KEYSTREAM_2:</t> <t>The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and KEYSTREAM_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
CIPHERTEXT_2 (Raw Value) (82 bytes) CIPHERTEXT_2 (Raw Value) (82 bytes)
bc 26 dd 27 0f e9 c0 2c 44 ce 39 34 79 4b 1c c6 2b a2 ad 56 69 fc 07 bc 26 dd 27 0f e9 c0 2c 44 ce 39 34 79 4b 1c c6 2b a2 2f 05 45 9f 8d
55 c2 a1 6b 7e 42 ed 14 22 5f ef 1e 45 1e 45 3c 21 42 1d 4d 37 3f 25 35 8c 8d 12 27 5a c4 2c 5f 96 de d5 f1 3c c9 08 4e 5b 20 18 89 a4 5e
6b 81 b1 93 7f 5b 19 9d 67 33 05 21 d0 25 a0 be 4d 26 a3 c2 0b 82 8e 5a 60 a5 56 2d c1 18 61 9c 3d aa 2f d9 f4 c9 f4 d6 ed ad 10 9d d4 ed
9e 0e f5 65 a9 34 3d 81 d9 bb bd a9 88 f9 59 62 aa fb af 9a b3 f4 a1 f6 b9 8f
]]></artwork> ]]></artwork>
<t>The Responder constructs message_2:</t> <t>The Responder constructs message_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_2 = message_2 =
( (
G_Y_CIPHERTEXT_2 G_Y_CIPHERTEXT_2
) )
]]></artwork> ]]></artwork>
<t>where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of <t>where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of
the raw values of G_Y and CIPHERTEXT_2.</t> the raw values of G_Y and CIPHERTEXT_2.</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_2 (CBOR Sequence) (116 bytes) message_2 (CBOR Sequence) (116 bytes)
58 72 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38 58 72 dc 88 d2 d5 1d a5 ed 67 fc 46 16 35 6b c8 ca 74 ef 9e be 8b 38
7e 62 3a 36 0b a4 80 b9 b2 9d 1c bc 26 dd 27 0f e9 c0 2c 44 ce 39 34 7e 62 3a 36 0b a4 80 b9 b2 9d 1c bc 26 dd 27 0f e9 c0 2c 44 ce 39 34
79 4b 1c c6 2b a2 ad 56 69 fc 07 55 c2 a1 6b 7e 42 ed 14 22 5f ef 1e 79 4b 1c c6 2b a2 2f 05 45 9f 8d 35 8c 8d 12 27 5a c4 2c 5f 96 de d5
45 1e 45 3c 21 42 1d 4d 37 3f 25 6b 81 b1 93 7f 5b 19 9d 67 33 05 21 f1 3c c9 08 4e 5b 20 18 89 a4 5e 5a 60 a5 56 2d c1 18 61 9c 3d aa 2f
d0 25 a0 be 4d 26 a3 c2 0b 82 8e 9e 0e f5 65 a9 34 3d 81 d9 bb bd a9 d9 f4 c9 f4 d6 ed ad 10 9d d4 ed f9 59 62 aa fb af 9a b3 f4 a1 f6 b9
88 8f
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="message3"> <section anchor="message3">
<name>message_3</name> <name>message_3</name>
<t>Since METHOD = 0, the Initiator authenticates using signatures. Since the selected cipher suite is 0, the EDHOC signature algorithm is EdDSA.</t> <t>Since METHOD = 0, the Initiator authenticates using signatures. Since the selected cipher suite is 0, the EDHOC signature algorithm is EdDSA.</t>
<t>The Initiator's signature key pair using EdDSA:</t> <t>The Initiator's signature key pair uses EdDSA:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's private authentication key Initiator's private authentication key
SK_I (Raw Value) (32 bytes) SK_I (Raw Value) (32 bytes)
4c 5b 25 87 8f 50 7c 6b 9d ae 68 fb d4 fd 3f f9 97 53 3d b0 af 00 b2 4c 5b 25 87 8f 50 7c 6b 9d ae 68 fb d4 fd 3f f9 97 53 3d b0 af 00 b2
5d 32 4e a2 8e 6c 21 3b c8 5d 32 4e a2 8e 6c 21 3b c8
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's public authentication key Initiator's public authentication key
PK_I (Raw Value) (32 bytes) PK_I (Raw Value) (32 bytes)
ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f
23 d8 cc 20 b7 30 85 14 1e 23 d8 cc 20 b7 30 85 14 1e
]]></artwork> ]]></artwork>
<t>PRK_4e3m is specified in <xref section="4.1.1.3" sectionFormat="of" t <t>PRK_4e3m is specified in <xref section="4.1.1.3" sectionFormat="of" t
arget="I-D.ietf-lake-edhoc"/>.</t> arget="RFC9528"/>.</t>
<t>Since the Initiator authenticates with signatures PRK_4e3m = PRK_3e2m <t>Since the Initiator authenticates with signatures, PRK_4e3m = PRK_3e2
.</t> m.</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_4e3m (Raw Value) (32 bytes) PRK_4e3m (Raw Value) (32 bytes)
d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73 d5 84 ac 2e 5d ad 5a 77 d1 4b 53 eb e7 2e f1 d5 da a8 86 0d 39 93 73
bf 2c 24 0a fa 7b a8 04 da bf 2c 24 0a fa 7b a8 04 da
]]></artwork> ]]></artwork>
<t>The transcript hash TH_3 is calculated using the EDHOC hash algorithm :</t> <t>The transcript hash TH_3 is calculated using the EDHOC hash algorithm :</t>
<t>TH_3 = H(TH_2, PLAINTEXT_2, CRED_R)</t> <t>TH_3 = H( TH_2, PLAINTEXT_2, CRED_R )</t>
<artwork><![CDATA[ <artwork><![CDATA[
Input to calculate TH_3 (CBOR Sequence) (359 bytes) Input to calculate TH_3 (CBOR Sequence) (359 bytes)
58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a 58 20 c6 40 5c 15 4c 56 74 66 ab 1d f2 03 69 50 0e 54 0e 9f 14 bd 3a
79 6a 06 52 ca e6 6c 90 61 68 8d 41 18 a1 18 22 82 2e 48 79 f2 a4 1b 79 6a 06 52 ca e6 6c 90 61 68 8d 41 18 a1 18 22 82 2e 48 79 f2 a4 1b
51 0c 1f 9b 58 40 41 e6 91 27 5b 84 04 24 25 5a cb 87 e6 33 d7 5d da 51 0c 1f 9b 58 40 c3 b5 bd 44 d1 e4 4a 08 5c 03 d3 ae de 4e 1e 6c 11
71 50 2d a2 e3 da 5f ce ee c4 e3 f7 60 74 48 6f 87 e6 6f 2a ca a1 bb c5 72 a1 96 8c c3 62 9b 50 5f 98 c6 81 60 8d 3d 1d e7 93 d1 c4 0e b5
d4 8c e0 e6 6a 5d 64 38 91 54 48 2f 9a 5e 57 22 70 63 31 59 f2 b1 7e dd 5d 89 ac f1 96 6a ea 07 02 2b 48 cd c9 98 70 eb c4 03 74 e8 fa 6e
0e 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06 09 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e c4 30 05 06
03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20
52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30
38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 38 32 34 33 36 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22
31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 52 65 73 70 6f 6e
64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 64 65 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00
a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62 a1 db 47 b9 51 84 85 4a d1 2a 0c 1a 35 4e 41 8a ac e3 3a a0 f2 c6 62
c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01 c0 0b 3a c5 5d e9 2f 93 59 30 05 06 03 2b 65 70 03 41 00 b7 23 bc 01
ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec ea b0 92 8e 8b 2b 6c 98 de 19 cc 38 23 d4 6e 7d 69 87 b0 32 47 8f ec
fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95 fa f1 45 37 a1 af 14 cc 8b e8 29 c6 b7 30 44 10 18 37 eb 4a bc 94 95
65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02 65 d8 6d ce 51 cf ae 52 ab 82 c1 52 cb 02
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_3 (Raw Value) (32 bytes) TH_3 (Raw Value) (32 bytes)
e0 91 12 1a f5 ac 6c e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 13 ac 98 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69
91 43 2d 22 56 b6 f6 78 e9 b1 67 77 99 65 92 e9 28 bc
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_3 (CBOR Data Item) (34 bytes) TH_3 (CBOR Data Item) (34 bytes)
58 20 e0 91 12 1a f5 ac 6c e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 13 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57
ac 98 91 43 2d 22 56 b6 f6 78 e9 f6 69 b1 67 77 99 65 92 e9 28 bc
]]></artwork> ]]></artwork>
<t>The Initiator constructs the remaining input needed to calculate MAC_ 3:</t> <t>The Initiator constructs the remaining input needed to calculate MAC_ 3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 ) MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )
]]></artwork> ]]></artwork>
<t>where</t> <t>where</t>
<artwork><![CDATA[ <artwork><![CDATA[
context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >> context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >>
]]></artwork> ]]></artwork>
<t>CRED_I is identified by a 64-bit hash:</t> <t>CRED_I is identified by a 64-bit hash:</t>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_I = ID_CRED_I =
{ {
34 : [-15, h'c24ab2fd7643c79f'] 34 : [-15, h'c24ab2fd7643c79f']
} }
]]></artwork> ]]></artwork>
<t>where the COSE header value 34 ('x5t') indicates a hash of an X.509 c ertficate, <t>where the COSE header value 34 ('x5t') indicates a hash of an X.509 c ertificate,
and the COSE algorithm -15 indicates the hash algorithm SHA-256 truncated to 64 bits.</t> and the COSE algorithm -15 indicates the hash algorithm SHA-256 truncated to 64 bits.</t>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_I (CBOR Data Item) (14 bytes) ID_CRED_I (CBOR Data Item) (14 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f
]]></artwork> ]]></artwork>
<t>CRED_I is a CBOR byte string of the DER encoding of the X.509 certifi cate in <xref target="init-cer"/>:</t> <t>CRED_I is a CBOR byte string of the DER encoding of the X.509 certifi cate in <xref target="init-cer"/>:</t>
<artwork><![CDATA[ <artwork><![CDATA[
CRED_I (Raw Value) (241 bytes) CRED_I (Raw Value) (241 bytes)
30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65
70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f
skipping to change at line 659 skipping to change at line 676
ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff
27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork> ]]></artwork>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EAD_3 (CBOR Sequence) (0 bytes) EAD_3 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t> <t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t>
<artwork><![CDATA[ <artwork><![CDATA[
context_3 (CBOR Sequence) (291 bytes) context_3 (CBOR Sequence) (291 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 e0 91 12 1a f5 ac 6c a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 5b 7d f9 b4 f5 8f 24
e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d 22 56 b6 f6 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99 65 92 e9
78 e9 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05
06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43
20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36
30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30
22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69
61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21
00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e
0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41
d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3
92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05
ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
context_3 (CBOR byte string) (294 bytes) context_3 (CBOR byte string) (294 bytes)
59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 e0 91 12 1a 59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 5b 7d f9 b4
f5 ac 6c e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d 22 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99
56 b6 f6 78 e9 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e 65 92 e9 28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e
a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44
48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30
33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30
30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e
69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65
70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3
02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00
52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df
29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22
67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork> ]]></artwork>
<t>MAC_3 is computed through EDHOC_Expand() using the EDHOC hash algorit hm, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>: </t> <t>MAC_3 is computed through EDHOC_Expand() using the EDHOC hash algorit hm (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>):</t>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_3 = HKDF-Expand(PRK_4e3m, info, mac_length_3), where MAC_3 = HKDF-Expand( PRK_4e3m, info, mac_length_3 )
]]></artwork>
<t>where</t>
<artwork><![CDATA[
info = ( 6, context_3, mac_length_3 )
]]></artwork>
<t>where</t>
<artwork><![CDATA[
context_3 = << ID_CRED_I, TH_3, CRED_I, ? EAD_3 >>
]]></artwork> ]]></artwork>
<t>info = ( 6, context_3, mac_length_3 )</t>
<t>where context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;<
/t>
<t>Since METHOD = 0, mac_length_3 is given by the EDHOC hash algorithm.< /t> <t>Since METHOD = 0, mac_length_3 is given by the EDHOC hash algorithm.< /t>
<t>info for MAC_3 is:</t> <t>info for MAC_3 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
6, 6,
h'a11822822e48c24ab2fd7643c79f5820e091121af5ac6ce2 h'a11822822e48c24ab2fd7643c79f58205b7df9b4f58f240c
145d4825e09012f29798e8f713ac9891432d2256b6f678e9 e0418e48191b5fff3a22b5ca57f669b16777996592e928bc
58f13081ee3081a1a003020102020462319ea0300506032b 58f13081ee3081a1a003020102020462319ea0300506032b
6570301d311b301906035504030c124544484f4320526f6f 6570301d311b301906035504030c124544484f4320526f6f
742045643235353139301e170d3232303331363038323430 742045643235353139301e170d3232303331363038323430
305a170d3239313233313233303030305a30223120301e06 305a170d3239313233313233303030305a30223120301e06
035504030c174544484f4320496e69746961746f72204564 035504030c174544484f4320496e69746961746f72204564
3235353139302a300506032b6570032100ed06a8ae61a829 3235353139302a300506032b6570032100ed06a8ae61a829
ba5fa54525c9d07f48dd44a302f43e0f23d8cc20b7308514 ba5fa54525c9d07f48dd44a302f43e0f23d8cc20b7308514
1e300506032b6570034100521241d8b3a770996bcfc9b9ea 1e300506032b6570034100521241d8b3a770996bcfc9b9ea
d4e7e0a1c0db353a3bdf2910b39275ae48b756015981850d d4e7e0a1c0db353a3bdf2910b39275ae48b756015981850d
27db6734e37f67212267dd05eeff27b9e7a813fa574b72a0 27db6734e37f67212267dd05eeff27b9e7a813fa574b72a0
0b430b', 0b430b',
32 32
) )
]]></artwork> ]]></artwork>
<t>where the last value is the output size of the EDHOC hash algorithm i n bytes.</t> <t>where the last value is the output size of the EDHOC hash algorithm i n bytes.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for MAC_3 (CBOR Sequence) (297 bytes) info for MAC_3 (CBOR Sequence) (297 bytes)
06 59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 e0 91 12 06 59 01 23 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 20 5b 7d f9
1a f5 ac 6c e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77
22 56 b6 f6 78 e9 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 99 65 92 e9 28 bc 58 f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31
9e a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 9e a0 30 05 06 03 2b 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45
44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 44 48 4f 43 20 52 6f 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32
30 33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 33 31 36 30 38 32 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30
30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 30 30 5a 30 22 31 20 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49
6e 69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 6e 69 74 69 61 74 6f 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b
65 70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 65 70 03 21 00 ed 06 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44
a3 02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 a3 02 f4 3e 0f 23 d8 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41
00 52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b 00 52 12 41 d8 b3 a7 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b
df 29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 df 29 10 b3 92 75 ae 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21
22 67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 18 20 22 67 dd 05 ee ff 27 b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_3 (Raw Value) (32 bytes) MAC_3 (Raw Value) (32 bytes)
51 c9 68 a7 f9 fd ea 19 c7 02 3f 70 22 b4 d9 f2 14 77 2e f5 88 59 05 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d 4b 01
24 05 76 f6 2d 03 6e 69 dc 25 84 45 a8 ee 02 da a3 bd
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_3 (CBOR Data Item) (34 bytes) MAC_3 (CBOR Data Item) (34 bytes)
58 20 51 c9 68 a7 f9 fd ea 19 c7 02 3f 70 22 b4 d9 f2 14 77 2e f5 88 58 20 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13 29 e6 37 cc 37 34 27 0d
59 05 24 05 76 f6 2d 03 6e 69 dc 4b 01 25 84 45 a8 ee 02 da a3 bd
]]></artwork> ]]></artwork>
<t>Since METHOD = 0, Signature_or_MAC_3 is the 'signature' of the <t>Since METHOD = 0, Signature_or_MAC_3 is the 'signature' of the
COSE_Sign1 object.</t> COSE_Sign1 object.</t>
<t>The Initiator constructs the message to be signed:</t> <t>The Initiator constructs the message to be signed:</t>
<artwork><![CDATA[ <artwork><![CDATA[
[ "Signature1", << ID_CRED_I >>, [
<< TH_3, CRED_I, ? EAD_3 >>, MAC_3 ] = "Signature1",
<< ID_CRED_I >>,
<< TH_3, CRED_I, ? EAD_3 >>,
MAC_3
] =
[ [
"Signature1", "Signature1",
h'a11822822e48c24ab2fd7643c79f', h'a11822822e48c24ab2fd7643c79f',
h'5820e091121af5ac6ce2145d4825e09012f29798e8f713ac h'58205b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f6
9891432d2256b6f678e958f13081ee3081a1a00302010202 69b16777996592e928bc58f13081ee3081a1a00302010202
0462319ea0300506032b6570301d311b301906035504030c 0462319ea0300506032b6570301d311b301906035504030c
124544484f4320526f6f742045643235353139301e170d32 124544484f4320526f6f742045643235353139301e170d32
32303331363038323430305a170d32393132333132333030 32303331363038323430305a170d32393132333132333030
30305a30223120301e06035504030c174544484f4320496e 30305a30223120301e06035504030c174544484f4320496e
69746961746f722045643235353139302a300506032b6570 69746961746f722045643235353139302a300506032b6570
032100ed06a8ae61a829ba5fa54525c9d07f48dd44a302f4 032100ed06a8ae61a829ba5fa54525c9d07f48dd44a302f4
3e0f23d8cc20b73085141e300506032b6570034100521241 3e0f23d8cc20b73085141e300506032b6570034100521241
d8b3a770996bcfc9b9ead4e7e0a1c0db353a3bdf2910b392 d8b3a770996bcfc9b9ead4e7e0a1c0db353a3bdf2910b392
75ae48b756015981850d27db6734e37f67212267dd05eeff 75ae48b756015981850d27db6734e37f67212267dd05eeff
27b9e7a813fa574b72a00b430b', 27b9e7a813fa574b72a00b430b',
h'51c968a7f9fdea19c7023f7022b4d9f214772ef588590524 h'39b127c130129afa30618c751329e637cc3734270d4b0125
0576f62d036e69dc' 8445a8ee02daa3bd'
] ]
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Message to be signed 3 (CBOR Data Item) (341 bytes) Message to be signed in message_3 (CBOR Data Item) (341 bytes)
84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 c2 4a b2 fd 84 6a 53 69 67 6e 61 74 75 72 65 31 4e a1 18 22 82 2e 48 c2 4a b2 fd
76 43 c7 9f 59 01 15 58 20 e0 91 12 1a f5 ac 6c e2 14 5d 48 25 e0 90 76 43 c7 9f 59 01 15 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b
12 f2 97 98 e8 f7 13 ac 98 91 43 2d 22 56 b6 f6 78 e9 58 f1 30 81 ee 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99 65 92 e9 28 bc 58 f1 30 81 ee
30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65 70 30 1d 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b 65 70 30 1d
31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 6f 74 20 45
64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 30 30 5a 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 34 30 30 5a
17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 30 1e 06 03
55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f 72 20 45 64 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f 72 20 45 64
32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06 a8 ae 61 a8 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06 a8 ae 61 a8
29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8 cc 20 b7 30 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8 cc 20 b7 30
85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3 a7 70 99 6b cf 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3 a7 70 99 6b cf
c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75 ae 48 b7 56 01 c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75 ae 48 b7 56 01
59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 b9 e7 a8 13 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 b9 e7 a8 13
fa 57 4b 72 a0 0b 43 0b 58 20 51 c9 68 a7 f9 fd ea 19 c7 02 3f 70 22 fa 57 4b 72 a0 0b 43 0b 58 20 39 b1 27 c1 30 12 9a fa 30 61 8c 75 13
b4 d9 f2 14 77 2e f5 88 59 05 24 05 76 f6 2d 03 6e 69 dc 29 e6 37 cc 37 34 27 0d 4b 01 25 84 45 a8 ee 02 da a3 bd
]]></artwork> ]]></artwork>
<t>The Initiator signs using the private authentication key SK_I:</t> <t>The Initiator signs using the private authentication key SK_I:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_3 (Raw Value) (64 bytes) Signature_or_MAC_3 (Raw Value) (64 bytes)
fc 10 7e c0 0f 74 ba 31 47 40 04 da 60 c5 b0 e1 eb 18 37 c0 f2 1e 00 96 e1 cd 5f ce ad fa c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95 7f d0
81 6f bd bb e9 75 a8 05 68 3d 12 69 5b 1f a4 dc 71 f6 4c 6e 9e e9 32 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec b9 cf
0a 19 19 85 57 41 e2 7a 16 02 97 8a 13 4f 3e 57 4f 06 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_3 (CBOR Data Item) (66 bytes) Signature_or_MAC_3 (CBOR Data Item) (66 bytes)
58 40 fc 10 7e c0 0f 74 ba 31 47 40 04 da 60 c5 b0 e1 eb 18 37 c0 f2 58 40 96 e1 cd 5f ce ad fa c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95
1e 00 81 6f bd bb e9 75 a8 05 68 3d 12 69 5b 1f a4 dc 71 f6 4c 6e 9e 7f d0 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec
e9 32 0a 19 19 85 57 41 e2 7a 16 02 97 8a 13 4f 3e 57 4f 06 b9 cf 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07
]]></artwork> ]]></artwork>
<t>The Initiator constructs PLAINTEXT_3:</t> <t>The Initiator constructs PLAINTEXT_3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_3 = PLAINTEXT_3 =
( (
ID_CRED_I / bstr / -24..23, ID_CRED_I / bstr / -24..23,
Signature_or_MAC_3, Signature_or_MAC_3,
? EAD_3 ? EAD_3
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_3 (CBOR Sequence) (80 bytes) PLAINTEXT_3 (CBOR Sequence) (80 bytes)
a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 40 fc 10 7e c0 0f 74 ba a1 18 22 82 2e 48 c2 4a b2 fd 76 43 c7 9f 58 40 96 e1 cd 5f ce ad fa
31 47 40 04 da 60 c5 b0 e1 eb 18 37 c0 f2 1e 00 81 6f bd bb e9 75 a8 c1 b5 af 81 94 43 f7 09 24 f5 71 99 55 95 7f d0 26 55 be b4 77 5e 1a
05 68 3d 12 69 5b 1f a4 dc 71 f6 4c 6e 9e e9 32 0a 19 19 85 57 41 e2 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03 dc ec b9 cf 15 4e 1c 6f 55 5a 1e
7a 16 02 97 8a 13 4f 3e 57 4f 06 12 ca 11 8c e4 2b db a6 87 89 07
]]></artwork> ]]></artwork>
<t>The Initiator constructs the associated data for message_3:</t> <t>The Initiator constructs the associated data for message_3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
A_3 = A_3 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'e091121af5ac6ce2145d4825e09012f29798e8f713ac9891 h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
432d2256b6f678e9' 6777996592e928bc'
] ]
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
A_3 (CBOR Data Item) (45 bytes) A_3 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 e0 91 12 1a f5 ac 6c e2 14 5d 83 68 45 6e 63 72 79 70 74 30 40 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41
48 25 e0 90 12 f2 97 98 e8 f7 13 ac 98 91 43 2d 22 56 b6 f6 78 e9 8e 48 19 1b 5f ff 3a 22 b5 ca 57 f6 69 b1 67 77 99 65 92 e9 28 bc
]]></artwork> ]]></artwork>
<t>The Initiator constructs the input needed to derive the key K_3, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, using t he EDHOC hash algorithm:</t> <t>The Initiator constructs the input needed to derive the key K_3 (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using the EDHOC has h algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length )
= HKDF-Expand( PRK_3e2m, info, key_length ), = HKDF-Expand( PRK_3e2m, info, key_length )
]]></artwork> ]]></artwork>
<t>where key_length is the key length in bytes for the EDHOC AEAD algori thm, and info for K_3 is:</t> <t>where key_length is the key length in bytes for the EDHOC Authenticat ed Encryption with Associated Data (AEAD) algorithm, and info for K_3 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
3, 3,
h'e091121af5ac6ce2145d4825e09012f29798e8f713ac9891 h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
432d2256b6f678e9', 6777996592e928bc',
16 16
) )
]]></artwork> ]]></artwork>
<t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t> <t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for K_3 (CBOR Sequence) (36 bytes) info for K_3 (CBOR Sequence) (36 bytes)
03 58 20 e0 91 12 1a f5 ac 6c e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 03 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca
13 ac 98 91 43 2d 22 56 b6 f6 78 e9 10 57 f6 69 b1 67 77 99 65 92 e9 28 bc 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
K_3 (Raw Value) (16 bytes) K_3 (Raw Value) (16 bytes)
95 65 a2 09 f6 7f d0 e1 62 9e 6f e7 c0 cc 3e 4a da 19 5e 5f 64 8a c6 3b 0e 8f b0 c4 55 20 51 39
]]></artwork> ]]></artwork>
<t>The Initiator constructs the input needed to derive the nonce IV_3, s ee <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, usin g the EDHOC hash algorithm:</t> <t>The Initiator constructs the input needed to derive the nonce IV_3 (s ee <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using the EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length )
= HKDF-Expand( PRK_3e2m, info, iv_length ), = HKDF-Expand( PRK_3e2m, info, iv_length )
]]></artwork> ]]></artwork>
<t>where iv_length is the nonce length in bytes for the EDHOC AEAD algor ithm, and info for IV_3 is:</t> <t>where iv_length is the nonce length in bytes for the EDHOC AEAD algor ithm, and info for IV_3 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
4, 4,
h'e091121af5ac6ce2145d4825e09012f29798e8f713ac9891 h'5b7df9b4f58f240ce0418e48191b5fff3a22b5ca57f669b1
432d2256b6f678e9', 6777996592e928bc',
13 13
) )
]]></artwork> ]]></artwork>
<t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t> <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for IV_3 (CBOR Sequence) (36 bytes) info for IV_3 (CBOR Sequence) (36 bytes)
04 58 20 e0 91 12 1a f5 ac 6c e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 04 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca
13 ac 98 91 43 2d 22 56 b6 f6 78 e9 0d 57 f6 69 b1 67 77 99 65 92 e9 28 bc 0d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
IV_3 (Raw Value) (13 bytes) IV_3 (Raw Value) (13 bytes)
b6 a7 79 c4 b0 e7 40 fd 8d 77 4d 0a d6 38 d8 c6 4c 56 25 5a ff a4 49 f4 be d7
]]></artwork> ]]></artwork>
<t>The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of COSE_Encrypt 0 applied <t>The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of COSE_Encrypt 0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_3, additional data using the EDHOC AEAD algorithm with plaintext PLAINTEXT_3, additional data
A_3, key K_3 and nonce IV_3.</t> A_3, key K_3, and nonce IV_3.</t>
<artwork><![CDATA[ <artwork><![CDATA[
CIPHERTEXT_3 (Raw Value) (88 bytes) CIPHERTEXT_3 (Raw Value) (88 bytes)
aa 96 6a 1a a4 fa 44 9a 17 2a 16 0b 96 e6 44 f6 a3 33 29 f2 7c 6a f5 25 c3 45 88 4a aa eb 22 c5 27 f9 b1 d2 b6 78 72 07 e0 16 3c 69 b6 2a
bb ef c6 11 58 d0 ad dd 99 06 9b 9a 19 7f f7 c9 0e 62 f3 b5 56 64 c5 0d 43 92 81 50 42 72 03 c3 16 74 e4 51 4e a6 e3 83 b5 66 eb 29 76 3e
83 74 7b 9a 40 2c cd 68 90 7f e4 58 b1 6a d5 2d 63 a0 0e 5a 85 df 95 fe b0 af a5 18 77 6a e1 c6 5f 85 6d 84 bf 32 af 3a 78 36 97 04 66 dc
ee 7b 1b 49 8a c9 83 42 00 8c 04 71 c1 ae 8d 75 82 50 44 b7 1f 76 74 5d 39 d3 02 5e 77 03 e0 c0 32 eb ad 51 94 7c
]]></artwork> ]]></artwork>
<t>message_3 is the CBOR bstr encoding of CIPHERTEXT_3:</t> <t>message_3 is the CBOR bstr encoding of CIPHERTEXT_3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_3 (CBOR Sequence) (90 bytes) message_3 (CBOR Sequence) (90 bytes)
58 58 aa 96 6a 1a a4 fa 44 9a 17 2a 16 0b 96 e6 44 f6 a3 33 29 f2 7c 58 58 25 c3 45 88 4a aa eb 22 c5 27 f9 b1 d2 b6 78 72 07 e0 16 3c 69
6a f5 bb ef c6 11 58 d0 ad dd 99 06 9b 9a 19 7f f7 c9 0e 62 f3 b5 56 b6 2a 0d 43 92 81 50 42 72 03 c3 16 74 e4 51 4e a6 e3 83 b5 66 eb 29
64 c5 83 74 7b 9a 40 2c cd 68 90 7f e4 58 b1 6a d5 2d 63 a0 0e 5a 85 76 3e fe b0 af a5 18 77 6a e1 c6 5f 85 6d 84 bf 32 af 3a 78 36 97 04
df 95 ee 7b 1b 49 8a c9 83 42 00 8c 04 71 c1 ae 8d 75 82 50 44 66 dc b7 1f 76 74 5d 39 d3 02 5e 77 03 e0 c0 32 eb ad 51 94 7c
]]></artwork> ]]></artwork>
<t>The transcript hash TH_4 is calculated using the EDHOC hash algorithm :</t> <t>The transcript hash TH_4 is calculated using the EDHOC hash algorithm :</t>
<t>TH_4 = H( TH_3, PLAINTEXT_3, CRED_I )</t> <t>TH_4 = H( TH_3, PLAINTEXT_3, CRED_I )</t>
<artwork><![CDATA[ <artwork><![CDATA[
Input to calculate TH_4 (CBOR Sequence) (357 bytes) Input to calculate TH_4 (CBOR Sequence) (357 bytes)
58 20 e0 91 12 1a f5 ac 6c e2 14 5d 48 25 e0 90 12 f2 97 98 e8 f7 13 58 20 5b 7d f9 b4 f5 8f 24 0c e0 41 8e 48 19 1b 5f ff 3a 22 b5 ca 57
ac 98 91 43 2d 22 56 b6 f6 78 e9 a1 18 22 82 2e 48 c2 4a b2 fd 76 43 f6 69 b1 67 77 99 65 92 e9 28 bc a1 18 22 82 2e 48 c2 4a b2 fd 76 43
c7 9f 58 40 fc 10 7e c0 0f 74 ba 31 47 40 04 da 60 c5 b0 e1 eb 18 37 c7 9f 58 40 96 e1 cd 5f ce ad fa c1 b5 af 81 94 43 f7 09 24 f5 71 99
c0 f2 1e 00 81 6f bd bb e9 75 a8 05 68 3d 12 69 5b 1f a4 dc 71 f6 4c 55 95 7f d0 26 55 be b4 77 5e 1a 73 18 6a 0d 1d 3e a6 83 f0 8f 8d 03
6e 9e e9 32 0a 19 19 85 57 41 e2 7a 16 02 97 8a 13 4f 3e 57 4f 06 58 dc ec b9 cf 15 4e 1c 6f 55 5a 1e 12 ca 11 8c e4 2b db a6 87 89 07 58
f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b f1 30 81 ee 30 81 a1 a0 03 02 01 02 02 04 62 31 9e a0 30 05 06 03 2b
65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f 65 70 30 1d 31 1b 30 19 06 03 55 04 03 0c 12 45 44 48 4f 43 20 52 6f
6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32 6f 74 20 45 64 32 35 35 31 39 30 1e 17 0d 32 32 30 33 31 36 30 38 32
34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20 34 30 30 5a 17 0d 32 39 31 32 33 31 32 33 30 30 30 30 5a 30 22 31 20
30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f 30 1e 06 03 55 04 03 0c 17 45 44 48 4f 43 20 49 6e 69 74 69 61 74 6f
72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06 72 20 45 64 32 35 35 31 39 30 2a 30 05 06 03 2b 65 70 03 21 00 ed 06
a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8 a8 ae 61 a8 29 ba 5f a5 45 25 c9 d0 7f 48 dd 44 a3 02 f4 3e 0f 23 d8
cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3 a7 cc 20 b7 30 85 14 1e 30 05 06 03 2b 65 70 03 41 00 52 12 41 d8 b3 a7
70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75 ae 70 99 6b cf c9 b9 ea d4 e7 e0 a1 c0 db 35 3a 3b df 29 10 b3 92 75 ae
48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27 48 b7 56 01 59 81 85 0d 27 db 67 34 e3 7f 67 21 22 67 dd 05 ee ff 27
b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b b9 e7 a8 13 fa 57 4b 72 a0 0b 43 0b
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_4 (Raw Value) (32 bytes) TH_4 (Raw Value) (32 bytes)
6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6 64 15 ea 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99 be 42 d5
a4 ce dd 62 b5 b4 9d 7b b7 a4 1a 5a 37 c8 96 f2 94 ac
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_4 (CBOR Data Item) (34 bytes) TH_4 (CBOR Data Item) (34 bytes)
58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6 64 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99 be
15 ea a4 ce dd 62 b5 b4 9d 7b b7 42 d5 a4 1a 5a 37 c8 96 f2 94 ac
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="message4"> <section anchor="message4">
<name>message_4</name> <name>message_4</name>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EAD_4 (CBOR Sequence) (0 bytes) EAD_4 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>The Responder constructs PLAINTEXT_4:</t> <t>The Responder constructs PLAINTEXT_4:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_4 = PLAINTEXT_4 =
( (
? EAD_4 ? EAD_4
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_4 (CBOR Sequence) (0 bytes) PLAINTEXT_4 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>The Responder constructs the associated data for message_4:</t> <t>The Responder constructs the associated data for message_4:</t>
<artwork><![CDATA[ <artwork><![CDATA[
A_4 = A_4 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
cedd62b5b49d7bb7' 1a5a37c896f294ac'
] ]
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
A_4 (CBOR Data Item) (45 bytes) A_4 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 6b 13 32 5a 49 bd 9f 97 0d 31 83 68 45 6e 63 72 79 70 74 30 40 58 20 0e b8 68 f2 63 cf 35 55 dc cd
91 ee 31 79 62 df 1d 44 38 c6 64 15 ea a4 ce dd 62 b5 b4 9d 7b b7 39 6d d8 de c2 9d 37 50 d5 99 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac
]]></artwork> ]]></artwork>
<t>The Responder constructs the input needed to derive the EDHOC message _4 key, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc "/>, using the EDHOC hash algorithm:</t> <t>The Responder constructs the input needed to derive the EDHOC message _4 key (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using t he EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length )
= HKDF-Expand( PRK_4x3m, info, key_length ) = HKDF-Expand( PRK_4e3m, info, key_length )
]]></artwork> ]]></artwork>
<t>where key_length is the key length in bytes for the EDHOC AEAD algori thm, <t>where key_length is the key length in bytes for the EDHOC AEAD algori thm,
and info for K_4 is:</t> and info for K_4 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
8, 8,
h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
cedd62b5b49d7bb7', 1a5a37c896f294ac',
16 16
) )
]]></artwork> ]]></artwork>
<t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t> <t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for K_4 (CBOR Sequence) (36 bytes) info for K_4 (CBOR Sequence) (36 bytes)
08 58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6 08 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99
64 15 ea a4 ce dd 62 b5 b4 9d 7b b7 10 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
K_4 (Raw Value) (16 bytes) K_4 (Raw Value) (16 bytes)
c9 f5 87 9d dd 4e 25 68 f6 94 46 c3 06 52 5f ef df 8c b5 86 1e 1f df ed d3 b2 30 15 a3 9d 1e 2e
]]></artwork> ]]></artwork>
<t>The Responder constructs the input needed to derive the EDHOC message _4 nonce, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edh oc"/>, using the EDHOC hash algorithm:</t> <t>The Responder constructs the input needed to derive the EDHOC message _4 nonce (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using the EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length )
= HKDF-Expand( PRK_4x3m, info, iv_length ) = HKDF-Expand( PRK_4e3m, info, iv_length )
]]></artwork> ]]></artwork>
<t>where length is the nonce length in bytes for the EDHOC AEAD algorith m, <t>where length is the nonce length in bytes for the EDHOC AEAD algorith m,
and info for IV_4 is:</t> and info for IV_4 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
9, 9,
h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
cedd62b5b49d7bb7', 1a5a37c896f294ac',
13 13
) )
]]></artwork> ]]></artwork>
<t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t> <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for IV_4 (CBOR Sequence) (36 bytes) info for IV_4 (CBOR Sequence) (36 bytes)
09 58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6 09 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99
64 15 ea a4 ce dd 62 b5 b4 9d 7b b7 0d be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 0d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
IV_4 (Raw Value) (13 bytes) IV_4 (Raw Value) (13 bytes)
a8 e0 4c e7 56 ee 38 e8 23 b7 7b 3e e0 12 8e c6 58 d9 70 d7 38 0f 74 fc 6c 27
]]></artwork> ]]></artwork>
<t>The Responder calculates CIPHERTEXT_4 as 'ciphertext' of COSE_Encrypt 0 applied <t>The Responder calculates CIPHERTEXT_4 as 'ciphertext' of COSE_Encrypt 0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_4, additional data using the EDHOC AEAD algorithm with plaintext PLAINTEXT_4, additional data
A_4, key K_4 and nonce IV_4.</t> A_4, key K_4, and nonce IV_4.</t>
<artwork><![CDATA[ <artwork><![CDATA[
CIPHERTEXT_4 (8 bytes) CIPHERTEXT_4 (8 bytes)
ee 12 0e 8b 5e 2a 00 8f 4f 0e de e3 66 e5 c8 83
]]></artwork> ]]></artwork>
<t>message_4 is the CBOR bstr encoding of CIPHERTEXT_4:</t> <t>message_4 is the CBOR bstr encoding of CIPHERTEXT_4:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_4 (CBOR Sequence) (9 bytes) message_4 (CBOR Sequence) (9 bytes)
48 ee 12 0e 8b 5e 2a 00 8f 48 4f 0e de e3 66 e5 c8 83
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="out-and-exporter1"> <section anchor="out-and-exporter1">
<name>PRK_out and PRK_exporter</name> <name>PRK_out and PRK_exporter</name>
<t>PRK_out is specified in <xref section="4.1.3" sectionFormat="of" targ et="I-D.ietf-lake-edhoc"/>.</t> <t>PRK_out is specified in <xref section="4.1.3" sectionFormat="of" targ et="RFC9528"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) = PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length )
= HKDF-Expand( PRK_4e3m, info, hash_length ) = HKDF-Expand( PRK_4e3m, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for PRK_out is:</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for PRK_out is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
7, 7,
h'6b13325a49bd9f970d3191ee317962df1d4438c66415eaa4 h'0eb868f263cf3555dccd396dd8dec29d3750d599be42d5a4
cedd62b5b49d7bb7', 1a5a37c896f294ac',
32 32
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t> <t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for PRK_out (CBOR Sequence) (37 bytes) info for PRK_out (CBOR Sequence) (37 bytes)
07 58 20 6b 13 32 5a 49 bd 9f 97 0d 31 91 ee 31 79 62 df 1d 44 38 c6 07 58 20 0e b8 68 f2 63 cf 35 55 dc cd 39 6d d8 de c2 9d 37 50 d5 99
64 15 ea a4 ce dd 62 b5 b4 9d 7b b7 18 20 be 42 d5 a4 1a 5a 37 c8 96 f2 94 ac 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_out (Raw Value) (32 bytes) PRK_out (Raw Value) (32 bytes)
45 06 92 9a d5 95 d5 d4 e5 9b 5f 21 ea b6 7d ea b6 4a 3b d2 c7 d9 d6 b7 44 cb 7d 8a 87 cc 04 47 c3 35 0e 16 5b 25 0d ab 12 ec 45 33 25 ab
87 7d 60 61 81 9c 2d 02 0d b9 22 b3 03 07 e5 c3 68 f0
]]></artwork> ]]></artwork>
<t>The OSCORE Master Secret and OSCORE Master Salt are derived with the EDHOC_Exporter as specified in <xref section="4.2.1" sectionFormat="of" target=" I-D.ietf-lake-edhoc"/>.</t> <t>The Object Security for Constrained RESTful Environments (OSCORE) Mas ter Secret and OSCORE Master Salt are derived with the EDHOC_Exporter as specifi ed in <xref section="4.2.1" sectionFormat="of" target="RFC9528"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
EDHOC_Exporter( label, context, length ) EDHOC_Exporter( exporter_label, context, length )
= EDHOC_KDF( PRK_exporter, label, context, length ) = EDHOC_KDF( PRK_exporter, exporter_label, context, length )
]]></artwork> ]]></artwork>
<t>where PRK_exporter is derived from PRK_out:</t> <t>where PRK_exporter is derived from PRK_out:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for the PRK_exporter is:</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for the PRK_exporter is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
10, 10,
h'', h'',
32 32
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t> <t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for PRK_exporter (CBOR Sequence) (4 bytes) info for PRK_exporter (CBOR Sequence) (4 bytes)
0a 40 18 20 0a 40 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter (Raw Value) (32 bytes) PRK_exporter (Raw Value) (32 bytes)
ad 33 a8 f2 e0 6f ff 3e 5d 7e e1 10 9e db f2 b6 d2 56 4c b3 f4 08 68 2a ae c8 fc 4a b3 bc 32 95 de f6 b5 51 05 1a 2f a5 61 42 4d b3 01 fa
e6 46 11 e4 20 92 4c e4 09 84 f6 42 f5 57 8a 6d f5 1a
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="oscore-param"> <section anchor="oscore-param">
<name>OSCORE Parameters</name> <name>OSCORE Parameters</name>
<t>The derivation of OSCORE parameters is specified in <xref section="A. <t>The derivation of OSCORE parameters is specified in <xref section="A.
1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> 1" sectionFormat="of" target="RFC9528"/>.</t>
<t>The AEAD and Hash algorithms to use in OSCORE are given by the select <t>The AEAD and hash algorithms to use in OSCORE are given by the select
ed cipher suite:</t> ed cipher suite:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Application AEAD Algorithm (int) Application AEAD Algorithm (int)
10 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Application Hash Algorithm (int) Application Hash Algorithm (int)
-16 -16
]]></artwork> ]]></artwork>
<t>The mapping from EDHOC connection identifiers to OSCORE Sender/Recipi ent IDs is defined in <xref section="3.3.3" sectionFormat="of" target="I-D.ietf- lake-edhoc"/>.</t> <t>The mapping from EDHOC connection identifiers to OSCORE Sender/Recipi ent IDs is defined in <xref section="3.3.3" sectionFormat="of" target="RFC9528"/ >.</t>
<t>C_R is mapped to the Recipient ID of the server, i.e., the Sender ID of the client. The byte string 0x18, which as C_R is encoded as the CBOR byte st ring 0x4118, is converted to the server Recipient ID 0x18.</t> <t>C_R is mapped to the Recipient ID of the server, i.e., the Sender ID of the client. The byte string 0x18, which as C_R is encoded as the CBOR byte st ring 0x4118, is converted to the server Recipient ID 0x18.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Client's OSCORE Sender ID (Raw Value) (1 byte) Client's OSCORE Sender ID (Raw Value) (1 byte)
18 18
]]></artwork> ]]></artwork>
<t>C_I is mapped to the Recipient ID of the client, i.e., the Sender ID of the server. The byte string 0x2d, which as C_I is encoded as the CBOR integer 0x2d is converted to the client Recipient ID 0x2d.</t> <t>C_I is mapped to the Recipient ID of the client, i.e., the Sender ID of the server. The byte string 0x2d, which as C_I is encoded as the CBOR integer 0x2d, is converted to the client Recipient ID 0x2d.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Server's OSCORE Sender ID (Raw Value) (1 byte) Server's OSCORE Sender ID (Raw Value) (1 byte)
2d 2d
]]></artwork> ]]></artwork>
<t>The OSCORE Master Secret is computed through EDHOC_Expand() using the <t>The OSCORE Master Secret is computed through EDHOC_Expand() using the
Application hash algorithm, see <xref section="A.1" sectionFormat="of" target="I -D.ietf-lake-edhoc"/>:</t> application hash algorithm (see <xref section="A.1" sectionFormat="of" target="R FC9528"/>):</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
= EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length ) = EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length )
= HKDF-Expand( PRK_exporter, info, oscore_key_length ) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
]]></artwork> ]]></artwork>
<t>where oscore_key_length is by default the key length in bytes for the <t>where oscore_key_length is the key length in bytes for the applicatio
Application AEAD n AEAD
algorithm, and info for the OSCORE Master Secret is:</t> algorithm by default, and info for the OSCORE Master Secret is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
0, 0,
h'', h'',
16 16
) )
]]></artwork> ]]></artwork>
<t>where the last value is the key length in bytes for the Application A EAD algorithm.</t> <t>where the last value is the key length in bytes for the application A EAD algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for OSCORE Master Secret (CBOR Sequence) (3 bytes) info for OSCORE Master Secret (CBOR Sequence) (3 bytes)
00 40 10 00 40 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret (Raw Value) (16 bytes) OSCORE Master Secret (Raw Value) (16 bytes)
fc 9c fb 05 63 ca 3e 28 f8 80 48 3b 9c 06 bd 03 1e 1c 6b ea c3 a8 a1 ca c4 35 de 7e 2f 9a e7 ff
]]></artwork> ]]></artwork>
<t>The OSCORE Master Salt is computed through EDHOC_Expand() using the A pplication hash algorithm, see <xref section="4.2" sectionFormat="of" target="I- D.ietf-lake-edhoc"/>:</t> <t>The OSCORE Master Salt is computed through EDHOC_Expand() using the a pplication hash algorithm (see <xref section="4.2" sectionFormat="of" target="RF C9528"/>):</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length )
= EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length ) = EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length )
= HKDF-Expand( PRK_4x3m, info, oscore_salt_length ) = HKDF-Expand( PRK_exporter, info, oscore_salt_length )
]]></artwork> ]]></artwork>
<t>where oscore_salt_length is the length in bytes of the OSCORE Master Salt, and info for the OSCORE Master Salt is:</t> <t>where oscore_salt_length is the length in bytes of the OSCORE Master Salt, and info for the OSCORE Master Salt is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
1, 1,
h'', h'',
8 8
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of the OSCORE Master Salt .</t> <t>where the last value is the length in bytes of the OSCORE Master Salt .</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for OSCORE Master Salt (CBOR Sequence) (3 bytes) info for OSCORE Master Salt (CBOR Sequence) (3 bytes)
01 40 08 01 40 08
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt (Raw Value) (8 bytes) OSCORE Master Salt (Raw Value) (8 bytes)
0e c0 9d 45 3b 08 98 34 ce 7a b8 44 c0 10 6d 73
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="key-update"> <section anchor="key-update">
<name>Key Update</name> <name>Key Update</name>
<t>Key update is defined in <xref section="H" sectionFormat="of" target= "I-D.ietf-lake-edhoc"/>.</t> <t>Key update is defined in <xref section="H" sectionFormat="of" target= "RFC9528"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
EDHOC_KeyUpdate( context ): EDHOC_KeyUpdate( context ):
PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash function, and context for KeyUpdate is</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash function, and the context for KeyUpdate is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
context for KeyUpdate (Raw Value) (16 bytes) context for KeyUpdate (Raw Value) (16 bytes)
d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
context for KeyUpdate (CBOR Data Item) (17 bytes) context for KeyUpdate (CBOR Data Item) (17 bytes)
50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c 50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c
]]></artwork> ]]></artwork>
<t>and where info for key update is:</t> <t>where info for KeyUpdate is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
11, 11,
h'd6be169602b8bceaa01158fdb820890c', h'd6be169602b8bceaa01158fdb820890c',
32 32
) )
]]></artwork>
<artwork><![CDATA[
info for KeyUpdate (CBOR Sequence) (20 bytes)
0b 50 d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_out after KeyUpdate (Raw Value) (32 bytes) PRK_out after KeyUpdate (Raw Value) (32 bytes)
0c 1d e2 f0 6d 9a d7 5a 21 32 90 5f 95 c6 96 40 42 76 af 81 f1 14 4a da 6e ac d9 a9 85 f4 fb a9 ae c2 a9 29 90 22 97 6b 25 b1 4e 89 fa 15
a7 61 af bf 78 d6 8c a1 b4 97 94 f2 8d 82 fa f2 da ad
]]></artwork> ]]></artwork>
<t>After key update, the PRK_exporter needs to be derived anew:</t> <t>After the key update, the PRK_exporter needs to be derived anew:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork> ]]></artwork>
<t>where info and hash_length are unchanged as in <xref target="out-and- exporter1"/>.</t> <t>where info and hash_length are unchanged as in <xref target="out-and- exporter1"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter (Raw Value) (32 bytes) PRK_exporter after KeyUpdate (Raw Value) (32 bytes)
f0 4e 4c 40 1d e8 db 34 f7 b5 06 b2 33 10 9a 24 c4 9c 4b 09 65 d0 7c 00 14 d2 52 5e e0 d8 e2 13 ea 59 08 02 8e 9a 1c e9 a0 1c 30 54 6f 09
6e 47 7b 23 a3 7b 53 c2 35 30 c0 44 d3 8d b5 36 2c 05
]]></artwork> ]]></artwork>
<t>The OSCORE Master Secret is derived with the updated PRK_exporter:</t > <t>The OSCORE Master Secret is derived with the updated PRK_exporter:</t >
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret = OSCORE Master Secret
= HKDF-Expand(PRK_exporter, info, oscore_key_length) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
]]></artwork> ]]></artwork>
<t>where info and key_length are unchanged as in <xref target="oscore-pa ram"/>.</t> <t>where info and oscore_key_length are unchanged as in <xref target="os core-param"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes)
50 48 6d 75 82 3a 59 2d 1e fd 28 6a 70 7f e8 7d ee 0f f5 42 c4 7e b0 e0 9c 69 30 76 49 bd bb e5
]]></artwork> ]]></artwork>
<t>The OSCORE Master Salt is derived with the updated PRK_exporter:</t> <t>The OSCORE Master Salt is derived with the updated PRK_exporter:</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt = HKDF-Expand(PRK_exporter, info, salt_length) OSCORE Master Salt
= HKDF-Expand( PRK_exporter, info, oscore_salt_length )
]]></artwork> ]]></artwork>
<t>where info and salt_length are unchanged as in <xref target="oscore-p aram"/>.</t> <t>where info and oscore_salt_length are unchanged as in <xref target="o score-param"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes)
61 95 cb b1 ce 03 1c ae 80 ce de 2a 1e 5a ab 48
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="certs"> <section anchor="certs">
<name>Certificates</name> <name>Certificates</name>
<section anchor="resp-cer"> <section anchor="resp-cer">
<name>Responder Certificate</name> <name>Responder Certificate</name>
<artwork><![CDATA[ <artwork><![CDATA[
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 1647419076 (0x62319ec4) Serial Number: 1647419076 (0x62319ec4)
Signature Algorithm: ED25519 Signature Algorithm: ED25519
skipping to change at line 1311 skipping to change at line 1343
4b b5 2b bf 15 39 b7 1a 4a af 42 97 78 f2 9e da 7e 81 4b b5 2b bf 15 39 b7 1a 4a af 42 97 78 f2 9e da 7e 81
46 80 69 8f 16 c4 8f 2a 6f a4 db e8 25 41 c5 82 07 ba 46 80 69 8f 16 c4 8f 2a 6f a4 db e8 25 41 c5 82 07 ba
1b c9 cd b0 c2 fa 94 7f fb f0 f0 ec 0e e9 1a 7f f3 7a 1b c9 cd b0 c2 fa 94 7f fb f0 f0 ec 0e e9 1a 7f f3 7a
94 d9 25 1f a5 cd f1 e6 7a 0f 94 d9 25 1f a5 cd f1 e6 7a 0f
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
</section> </section>
<section anchor="sec-trace-2"> <section anchor="sec-trace-2">
<name>Authentication with Static DH, CCS Identified by 'kid'</name> <name>Authentication with Static DH, CCS Identified by 'kid'</name>
<t>In this example the Initiator and the Responder are authenticated with ephemeral-static Diffie-Hellman (METHOD = 3). The Initiator supports cipher suit es 6 and 2 (in order of preference) and the Responder only supports cipher suite 2. After an initial negotiation message exchange, cipher suite 2 is used, which determines the algorithms:</t> <t>In this example, the Initiator and the Responder are authenticated with ephemeral-static Diffie-Hellman (METHOD = 3). The Initiator supports cipher sui tes 6 and 2 (in order of preference), and the Responder only supports cipher sui te 2. After an initial negotiation message exchange, cipher suite 2 is used, whi ch determines the algorithms:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>EDHOC AEAD algorithm = AES-CCM-16-64-128</li> <li>EDHOC AEAD algorithm = AES-CCM-16-64-128</li>
<li>EDHOC hash algorithm = SHA-256</li> <li>EDHOC hash algorithm = SHA-256</li>
<li>EDHOC MAC length in bytes (Static DH) = 8</li> <li>EDHOC MAC length in bytes (Static DH) = 8</li>
<li>EDHOC key exchange algorithm (ECDH curve) = P-256</li> <li>EDHOC key exchange algorithm (ECDH curve) = P-256</li>
<li>EDHOC signature algorithm = ES256</li> <li>EDHOC signature algorithm = ES256</li>
<li>Application AEAD algorithm = AES-CCM-16-64-128</li> <li>application AEAD algorithm = AES-CCM-16-64-128</li>
<li>Application hash algorithm = SHA-256</li> <li>application hash algorithm = SHA-256</li>
</ul> </ul>
<t>The public keys are represented as raw public keys (RPK), encoded in a CWT Claims Set (CCS) and identified by the COSE header parameter 'kid'.</t> <t>The public keys are represented as raw public keys (RPKs), encoded in a CWT Claims Set (CCS) and identified by the COSE header parameter 'kid'.</t>
<section anchor="m1_1"> <section anchor="m1_1">
<name>message_1 (first time)</name> <name>message_1 (First Time)</name>
<t>Both endpoints are authenticated with static DH, i.e., METHOD = 3:</t > <t>Both endpoints are authenticated with static DH, i.e., METHOD = 3:</t >
<artwork><![CDATA[ <artwork><![CDATA[
METHOD (CBOR Data Item) (1 byte) METHOD (CBOR Data Item) (1 byte)
03 03
]]></artwork> ]]></artwork>
<t>The Initiator selects its preferred cipher suite 6. A single cipher s uite is encoded as an int:</t> <t>The Initiator selects its preferred cipher suite 6. A single cipher s uite is encoded as an int:</t>
<artwork><![CDATA[ <artwork><![CDATA[
SUITES_I (CBOR Data Item) (1 byte) SUITES_I (CBOR Data Item) (1 byte)
06 06
]]></artwork> ]]></artwork>
skipping to change at line 1353 skipping to change at line 1385
G_X (Raw Value) (32 bytes) G_X (Raw Value) (32 bytes)
74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 f3 26 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 f3 26
20 b7 49 be e8 d2 78 ef a9 20 b7 49 be e8 d2 78 ef a9
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's ephemeral public key, 'x'-coordinate Initiator's ephemeral public key, 'x'-coordinate
G_X (CBOR Data Item) (34 bytes) G_X (CBOR Data Item) (34 bytes)
58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 8f 65
f3 26 20 b7 49 be e8 d2 78 ef a9 f3 26 20 b7 49 be e8 d2 78 ef a9
]]></artwork> ]]></artwork>
<t>The Initiator selects its connection identifier C_I to be the byte st ring 0x0e, which since it is represented by the 1-byte CBOR int 14 is encoded as 0x0e:</t> <t>The Initiator selects its connection identifier C_I to be the byte st ring 0x0e, which is encoded as 0x0e since it is represented by the 1-byte CBOR i nt 14:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte) C_I (Raw Value) (1 byte)
0e 0e
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte) C_I (CBOR Data Item) (1 byte)
0e 0e
]]></artwork> ]]></artwork>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<t>EAD_1 (CBOR Sequence) (0 bytes)</t> <artwork><![CDATA[
EAD_1 (CBOR Sequence) (0 bytes)
]]></artwork>
<t>The Initiator constructs message_1:</t> <t>The Initiator constructs message_1:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_1 = message_1 =
( (
3, 3,
6, 6,
h'741a13d7ba048fbb615e94386aa3b61bea5b3d8f65f32620 h'741a13d7ba048fbb615e94386aa3b61bea5b3d8f65f32620
b749bee8d278efa9', b749bee8d278efa9',
14 14
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
message_1 (CBOR Sequence) (37 bytes) message_1 (CBOR Sequence) (37 bytes)
03 06 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 03 06 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d
8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="error"> <section anchor="error">
<name>error</name> <name>error</name>
skipping to change at line 1396 skipping to change at line 1430
<artwork><![CDATA[ <artwork><![CDATA[
SUITES_R SUITES_R
02 02
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
error (CBOR Sequence) (2 bytes) error (CBOR Sequence) (2 bytes)
02 02 02 02
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="message1-second-time"> <section anchor="message1-second-time">
<name>message_1 (second time)</name> <name>message_1 (Second Time)</name>
<t>Same steps are performed as for message_1 the first time, <xref targe <t>Same steps are performed as for message_1 the first time (<xref targe
t="m1_1"/>, but with updated SUITES_I.</t> t="m1_1"/>) but with SUITES_I updated.</t>
<t>Both endpoints are authenticated with static DH, i.e., METHOD = 3:</t > <t>Both endpoints are authenticated with static DH, i.e., METHOD = 3:</t >
<artwork align="left"><![CDATA[ <artwork align="left"><![CDATA[
METHOD (CBOR Data Item) (1 byte) METHOD (CBOR Data Item) (1 byte)
03 03
]]></artwork> ]]></artwork>
<t>The Initiator selects cipher suite 2 and indicates the more preferred cipher suite(s), in this case 6, all encoded as the array [6, 2]:</t> <t>The Initiator selects cipher suite 2 and indicates the more preferred cipher suite(s), in this case 6, all encoded as the array [6, 2]:</t>
<artwork><![CDATA[ <artwork><![CDATA[
SUITES_I (CBOR Data Item) (3 bytes) SUITES_I (CBOR Data Item) (3 bytes)
82 06 02 82 06 02
]]></artwork> ]]></artwork>
skipping to change at line 1433 skipping to change at line 1467
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
51 e8 af 6c 6e db 78 16 01 ad 1d 9c 5f a8 bf 7a a1 57 16 c7 c0 6a 5d 51 e8 af 6c 6e db 78 16 01 ad 1d 9c 5f a8 bf 7a a1 57 16 c7 c0 6a 5d
03 85 03 c6 14 ff 80 c9 b3 03 85 03 c6 14 ff 80 c9 b3
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's ephemeral public key, 'x'-coordinate Initiator's ephemeral public key, 'x'-coordinate
G_X (CBOR Data Item) (34 bytes) G_X (CBOR Data Item) (34 bytes)
58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 df f8 f8 34
73 0b 96 c1 b7 c8 db ca 2f c3 b6 73 0b 96 c1 b7 c8 db ca 2f c3 b6
]]></artwork> ]]></artwork>
<t>The Initiator selects its connection identifier C_I to be the byte st ring 0x37, which since it is represented by the 1-byte CBOR int -24 is encoded a s 0x37:</t> <t>The Initiator selects its connection identifier C_I to be the byte st ring 0x37, which is encoded as 0x37 since it is represented by the 1-byte CBOR i nt -24:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (Raw Value) (1 byte) C_I (Raw Value) (1 byte)
37 37
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Initiator Connection identifier chosen by the Initiator
C_I (CBOR Data Item) (1 byte) C_I (CBOR Data Item) (1 byte)
37 37
]]></artwork> ]]></artwork>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EAD_1 (CBOR Sequence) (0 bytes) EAD_1 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>The Initiator constructs message_1:</t> <t>The Initiator constructs message_1:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_1 = message_1 =
( (
3, 3,
[6, 2], [6, 2],
h'8af6f430ebe18d34184017a9a11bf511c8dff8f834730b96 h'8af6f430ebe18d34184017a9a11bf511c8dff8f834730b96
c1b7c8dbca2fc3b6', c1b7c8dbca2fc3b6',
-24 -24
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
message_1 (CBOR Sequence) (39 bytes) message_1 (CBOR Sequence) (39 bytes)
03 82 06 02 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8 03 82 06 02 58 20 8a f6 f4 30 eb e1 8d 34 18 40 17 a9 a1 1b f5 11 c8
df f8 f8 34 73 0b 96 c1 b7 c8 db ca 2f c3 b6 37 df f8 f8 34 73 0b 96 c1 b7 c8 db ca 2f c3 b6 37
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="message2-1"> <section anchor="message2-1">
<name>message_2</name> <name>message_2</name>
<t>The Responder supports the selected cipher suite 2 and not the by the Initiator more preferred cipher suite(s) 6, so SUITES_I is acceptable.</t> <t>The Responder supports the selected cipher suite 2 and not the Initia tor's more preferred cipher suite(s) 6, so SUITES_I is acceptable.</t>
<t>The Responder creates an ephemeral key pair for use with the EDHOC ke y exchange algorithm:</t> <t>The Responder creates an ephemeral key pair for use with the EDHOC ke y exchange algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's ephemeral private key Responder's ephemeral private key
Y (Raw Value) (32 bytes) Y (Raw Value) (32 bytes)
e2 f4 12 67 77 20 5e 85 3b 43 7d 6e ac a1 e1 f7 53 cd cc 3e 2c 69 fa e2 f4 12 67 77 20 5e 85 3b 43 7d 6e ac a1 e1 f7 53 cd cc 3e 2c 69 fa
88 4b 0a 1a 64 09 77 e4 18 88 4b 0a 1a 64 09 77 e4 18
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's ephemeral public key, 'x'-coordinate Responder's ephemeral public key, 'x'-coordinate
G_Y (Raw Value) (32 bytes) G_Y (Raw Value) (32 bytes)
skipping to change at line 1493 skipping to change at line 1527
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
5e 4f 0d d8 a3 da 0b aa 16 b9 d3 ad 56 a0 c1 86 0a 94 0a f8 59 14 91 5e 4f 0d d8 a3 da 0b aa 16 b9 d3 ad 56 a0 c1 86 0a 94 0a f8 59 14 91
5e 25 01 9b 40 24 17 e9 9d 5e 25 01 9b 40 24 17 e9 9d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's ephemeral public key, 'x'-coordinate Responder's ephemeral public key, 'x'-coordinate
G_Y (CBOR Data Item) (34 bytes) G_Y (CBOR Data Item) (34 bytes)
58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 42 2c 8e a0 f9 55 a1 3a 4f f5 d5
]]></artwork> ]]></artwork>
<t>The Responder selects its connection identifier C_R to be the byte st ring 0x27, which since it is represented by the 1-byte CBOR int -8 is encoded as 0x27:</t> <t>The Responder selects its connection identifier C_R to be the byte st ring 0x27, which is encoded as 0x27 since it is represented by the 1-byte CBOR i nt -8:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (raw value) (1 byte) C_R (raw value) (1 byte)
27 27
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Connection identifier chosen by Responder Connection identifier chosen by the Responder
C_R (CBOR Data Item) (1 byte) C_R (CBOR Data Item) (1 byte)
27 27
]]></artwork> ]]></artwork>
<t>The transcript hash TH_2 is calculated using the EDHOC hash algorithm :</t> <t>The transcript hash TH_2 is calculated using the EDHOC hash algorithm :</t>
<t>TH_2 = H( G_Y, H(message_1) )</t> <t>TH_2 = H( G_Y, H(message_1) )</t>
<artwork><![CDATA[ <artwork><![CDATA[
H(message_1) (Raw Value) (32 bytes) H(message_1) (Raw Value) (32 bytes)
ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75 ca 02 ca bd a5 a8 90 27 49 b4 2f 71 10 50 bb 4d bd 52 15 3e 87 52 75
94 b3 9f 50 cd f0 19 88 8c 94 b3 9f 50 cd f0 19 88 8c
]]></artwork> ]]></artwork>
skipping to change at line 1534 skipping to change at line 1568
<artwork><![CDATA[ <artwork><![CDATA[
TH_2 (Raw Value) (32 bytes) TH_2 (Raw Value) (32 bytes)
35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3
9d 52 36 c1 82 b2 02 08 4b 9d 52 36 c1 82 b2 02 08 4b
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_2 (CBOR Data Item) (34 bytes) TH_2 (CBOR Data Item) (34 bytes)
58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02
8f f3 9d 52 36 c1 82 b2 02 08 4b 8f f3 9d 52 36 c1 82 b2 02 08 4b
]]></artwork> ]]></artwork>
<t>PRK_2e is specified in <xref section="4.1.1.1" sectionFormat="of" tar <t>PRK_2e is specified in <xref section="4.1.1.1" sectionFormat="of" tar
get="I-D.ietf-lake-edhoc"/>.</t> get="RFC9528"/>.</t>
<t>First, the ECDH shared secret G_XY is computed from G_X and Y, or G_Y <t>First, the ECDH shared secret G_XY is computed from G_X and Y or G_Y
and X:</t> and X:</t>
<artwork><![CDATA[ <artwork><![CDATA[
G_XY (Raw Value) (ECDH shared secret) (32 bytes) G_XY (Raw Value) (ECDH shared secret) (32 bytes)
2f 0c b7 e8 60 ba 53 8f bf 5c 8b de d0 09 f6 25 9b 4b 62 8f e1 eb 7d 2f 0c b7 e8 60 ba 53 8f bf 5c 8b de d0 09 f6 25 9b 4b 62 8f e1 eb 7d
be 93 78 e5 ec f7 a8 24 ba be 93 78 e5 ec f7 a8 24 ba
]]></artwork> ]]></artwork>
<t>Then, PRK_2e is calculated using EDHOC_Extract() determined by the ED HOC hash algorithm:</t> <t>Then, PRK_2e is calculated using EDHOC_Extract(), which is determined by the EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_2e = EDHOC_Extract( salt, G_XY ) = PRK_2e = EDHOC_Extract( salt, G_XY )
= HMAC-SHA-256( salt, G_XY ) = HMAC-SHA-256( salt, G_XY )
]]></artwork> ]]></artwork>
<t>where salt is TH_2:</t> <t>where salt is TH_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
salt (Raw Value) (32 bytes) salt (Raw Value) (32 bytes)
35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 8f f3
9d 52 36 c1 82 b2 02 08 4b 9d 52 36 c1 82 b2 02 08 4b
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_2e (Raw Value) (32 bytes) PRK_2e (Raw Value) (32 bytes)
5a a0 d6 9f 3e 3d 1e 0c 47 9f 0b 8a 48 66 90 c9 80 26 30 c3 46 6b 1d 5a a0 d6 9f 3e 3d 1e 0c 47 9f 0b 8a 48 66 90 c9 80 26 30 c3 46 6b 1d
c9 23 71 c9 82 56 31 70 b5 c9 23 71 c9 82 56 31 70 b5
]]></artwork> ]]></artwork>
<t>Since METHOD = 3, the Responder authenticates using static DH. The ED HOC key exchange algorithm is based on the same curve as for the ephemeral keys, which is P-256, since the selected cipher suite is 2.</t> <t>Since METHOD = 3, the Responder authenticates using static DH. The ED HOC key exchange algorithm is based on the same curve as for the ephemeral keys, which is P-256, since the selected cipher suite is 2.</t>
<t>The Responder's static Diffie-Hellman P-256 key pair:</t> <t>The Responder's static Diffie-Hellman P-256 key pair consists of a pr ivate key and a public key.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's private authentication key Responder's private authentication key
SK_R (Raw Value) (32 bytes) SK_R (Raw Value) (32 bytes)
72 cc 47 61 db d4 c7 8f 75 89 31 aa 58 9d 34 8d 1e f8 74 a7 e3 03 ed 72 cc 47 61 db d4 c7 8f 75 89 31 aa 58 9d 34 8d 1e f8 74 a7 e3 03 ed
e2 f1 40 dc f3 e6 aa 4a ac e2 f1 40 dc f3 e6 aa 4a ac
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's public authentication key, 'x'-coordinate Responder's public authentication key, 'x'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb
cb ac 93 62 20 46 dd 44 f0 cb ac 93 62 20 46 dd 44 f0
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Responder's public authentication key, 'y'-coordinate Responder's public authentication key, 'y'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0
10 8c 22 4c 51 ea bf 60 72 10 8c 22 4c 51 ea bf 60 72
]]></artwork> ]]></artwork>
<t>Since the Responder authenticates with static DH (METHOD = 3), PRK_3e 2m is derived <t>Since the Responder authenticates with static DH (METHOD = 3), PRK_3e 2m is derived
from SALT_3e2m and G_RX.</t> from SALT_3e2m and G_RX.</t>
<t>The input needed to calculate SALT_3e2m is defined in <xref section=" 4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, using EDHOC_Expand() w ith the EDHOC hash algorithm:</t> <t>The input needed to calculate SALT_3e2m is defined in <xref section=" 4.1.2" sectionFormat="of" target="RFC9528"/>, using EDHOC_Expand() with the EDHO C hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length ) = SALT_3e2m = EDHOC_KDF( PRK_2e, 1, TH_2, hash_length )
= HKDF-Expand( PRK_2e, info, hash_length ) = HKDF-Expand( PRK_2e, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for SALT_3e2m is:</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for SALT_3e2m is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
1, 1,
h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d
5236c182b202084b', 5236c182b202084b',
32 32
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
info for SALT_3e2m (CBOR Sequence) (37 bytes) info for SALT_3e2m (CBOR Sequence) (37 bytes)
01 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 01 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57
02 8f f3 9d 52 36 c1 82 b2 02 08 4b 18 20 02 8f f3 9d 52 36 c1 82 b2 02 08 4b 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
SALT_3e2m (Raw Value) (32 bytes) SALT_3e2m (Raw Value) (32 bytes)
af 4e 10 3a 47 cb 3c f3 25 70 d5 c2 5a d2 77 32 bd 8d 81 78 e9 a6 9d af 4e 10 3a 47 cb 3c f3 25 70 d5 c2 5a d2 77 32 bd 8d 81 78 e9 a6 9d
06 1c 31 a2 7f 8e 3c a9 26 06 1c 31 a2 7f 8e 3c a9 26
]]></artwork> ]]></artwork>
<t>PRK_3e2m is specified in <xref section="4.1.1.2" sectionFormat="of" t arget="I-D.ietf-lake-edhoc"/>.</t> <t>PRK_3e2m is specified in <xref section="4.1.1.2" sectionFormat="of" t arget="RFC9528"/>.</t>
<t>PRK_3e2m is derived from G_RX using EDHOC_Extract() with the EDHOC ha sh algorithm:</t> <t>PRK_3e2m is derived from G_RX using EDHOC_Extract() with the EDHOC ha sh algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX ) = PRK_3e2m = EDHOC_Extract( SALT_3e2m, G_RX )
= HMAC-SHA-256( SALT_3e2m, G_RX ) = HMAC-SHA-256( SALT_3e2m, G_RX )
]]></artwork> ]]></artwork>
<t>where G_RX is the ECDH shared secret calculated from G_X and R, or G_ R and X.</t> <t>where G_RX is the ECDH shared secret calculated from G_X and R, or G_ R and X.</t>
<artwork><![CDATA[ <artwork><![CDATA[
G_RX (Raw Value) (ECDH shared secret) (32 bytes) G_RX (Raw Value) (ECDH shared secret) (32 bytes)
f2 b6 ee a0 22 20 b9 5e ee 5a 0b c7 01 f0 74 e0 0a 84 3e a0 24 22 f6 f2 b6 ee a0 22 20 b9 5e ee 5a 0b c7 01 f0 74 e0 0a 84 3e a0 24 22 f6
08 25 fb 26 9b 3e 16 14 23 08 25 fb 26 9b 3e 16 14 23
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_3e2m (Raw Value) (32 bytes) PRK_3e2m (Raw Value) (32 bytes)
0c a3 d3 39 82 96 b3 c0 39 00 98 76 20 c1 1f 6f ce 70 78 1c 1d 12 19 0c a3 d3 39 82 96 b3 c0 39 00 98 76 20 c1 1f 6f ce 70 78 1c 1d 12 19
72 0f 9e c0 8c 12 2d 84 34 72 0f 9e c0 8c 12 2d 84 34
]]></artwork> ]]></artwork>
<t>The Responder constructs the remaining input needed to calculate MAC_ 2:</t> <t>The Responder constructs the remaining input needed to calculate MAC_ 2:</t>
<t>MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )</t> <t>MAC_2 = EDHOC_KDF( PRK_3e2m, 2, context_2, mac_length_2 )</t>
<t>context_2 = &lt;&lt; ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t> <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</ t>
<t>CRED_R is identified by a 'kid' with byte string value 0x32:</t> <t>CRED_R is identified by a 'kid' with byte string value 0x32:</t>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_R = ID_CRED_R =
{ {
4 : h'32' 4 : h'32'
} }
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_R (CBOR Data Item) (4 bytes) ID_CRED_R (CBOR Data Item) (4 bytes)
a1 04 41 32 a1 04 41 32
]]></artwork> ]]></artwork>
<t>CRED_R is an RPK encoded as a CCS:</t> <t>CRED_R is an RPK encoded as a CCS:</t>
<artwork><![CDATA[ <artwork><![CDATA[
{ /CCS/ { /CCS/
2 : "example.edu", /sub/ 2 : "example.edu", /sub/
8 : { /cnf/ 8 : { /cnf/
1 : { /COSE_Key/ 1 : { /COSE_Key/
1 : 2, /kty/ 1 : 2, /kty/
2 : h'32', /kid/ 2 : h'32', /kid/
-1 : 1, /crv/ -1 : 1, /crv/
-2 : h'BBC34960526EA4D32E940CAD2A234148 -2 : h'bbc34960526ea4d32e940cad2a234148
DDC21791A12AFBCBAC93622046DD44F0', /x/ ddc21791a12afbcbac93622046dd44f0', /x/
-3 : h'4519E257236B2A0CE2023F0931F1F386 -3 : h'4519e257236b2a0ce2023f0931f1f386
CA7AFDA64FCDE0108C224C51EABF6072' /y/ ca7afda64fcde0108c224c51eabf6072' /y/
} }
} }
} }
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
CRED_R (CBOR Data Item) (95 bytes) CRED_R (CBOR Data Item) (95 bytes)
a2 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 a2 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32
20 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 20 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2
17 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 17 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b
2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea 2a 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea
bf 60 72 bf 60 72
]]></artwork> ]]></artwork>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EAD_2 (CBOR Sequence) (0 bytes) EAD_2 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>context_2 = &lt;&lt; ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</t> <t>context_2 = &lt;&lt; C_R, ID_CRED_R, TH_2, CRED_R, ? EAD_2 &gt;&gt;</ t>
<artwork><![CDATA[ <artwork><![CDATA[
context_2 (CBOR Sequence) (133 bytes) context_2 (CBOR Sequence) (134 bytes)
a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4
b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 61 6d 70 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 61 6d
6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 bb c3 49 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 bb c3
60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb cb ac 93 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb cb ac
62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31 f1 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 31
f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
context_2 (CBOR byte string) (135 bytes) context_2 (CBOR byte string) (136 bytes)
58 85 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f 58 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8
f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 61 3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78
6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 bb 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20
c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb cb bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb
ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f 09 cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f
31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72
]]></artwork>
<t>MAC_2 is computed through EDHOC_Expand() using the EDHOC hash algorit
hm (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>):</t>
<artwork><![CDATA[
MAC_2 = HKDF-Expand( PRK_3e2m, info, mac_length_2 )
]]></artwork>
<t>where</t>
<artwork><![CDATA[
info = ( 2, context_2, mac_length_2 )
]]></artwork> ]]></artwork>
<t>MAC_2 is computed through EDHOC_Expand() using the EDHOC hash algorit
hm, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>:
</t>
<t>MAC_2 = HKDF-Expand(PRK_3e2m, info, mac_length_2), where</t>
<t>info = ( 2, context_2, mac_length_2 )</t>
<t>Since METHOD = 3, mac_length_2 is given by the EDHOC MAC length.</t> <t>Since METHOD = 3, mac_length_2 is given by the EDHOC MAC length.</t>
<t>info for MAC_2 is:</t> <t>info for MAC_2 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
2, 2,
h'a10441325820356efd53771425e008f3fe3a86c83ff4c6b1 h'27a10441325820356efd53771425e008f3fe3a86c83ff4c6
6e57028ff39d5236c182b202084ba2026b6578616d706c65 b16e57028ff39d5236c182b202084ba2026b6578616d706c
2e65647508a101a501020241322001215820bbc34960526e 652e65647508a101a501020241322001215820bbc3496052
a4d32e940cad2a234148ddc21791a12afbcbac93622046dd 6ea4d32e940cad2a234148ddc21791a12afbcbac93622046
44f02258204519e257236b2a0ce2023f0931f1f386ca7afd dd44f02258204519e257236b2a0ce2023f0931f1f386ca7a
a64fcde0108c224c51eabf6072', fda64fcde0108c224c51eabf6072',
8 8
) )
]]></artwork> ]]></artwork>
<t>where the last value is the EDHOC MAC length in bytes.</t> <t>where the last value is the EDHOC MAC length in bytes.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for MAC_2 (CBOR Sequence) (137 bytes) info for MAC_2 (CBOR Sequence) (138 bytes)
02 58 85 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 02 58 86 27 a1 04 41 32 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86
3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65 78 c8 3f f4 c6 b1 6e 57 02 8f f3 9d 52 36 c1 82 b2 02 08 4b a2 02 6b 65
61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58 20 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 01 21 58
bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a fb 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 91 a1 2a
cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02 3f fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 0c e2 02
09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72 08 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 60 72 08
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_2 (Raw Value) (8 bytes) MAC_2 (Raw Value) (8 bytes)
fa 5e fa 2e bf 92 0b f3 09 43 30 5c 89 9f 5c 54
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_2 (CBOR Data Item) (9 bytes) MAC_2 (CBOR Data Item) (9 bytes)
48 fa 5e fa 2e bf 92 0b f3 48 09 43 30 5c 89 9f 5c 54
]]></artwork> ]]></artwork>
<t>Since METHOD = 3, Signature_or_MAC_2 is MAC_2:</t> <t>Since METHOD = 3, Signature_or_MAC_2 is MAC_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_2 (Raw Value) (8 bytes) Signature_or_MAC_2 (Raw Value) (8 bytes)
fa 5e fa 2e bf 92 0b f3 09 43 30 5c 89 9f 5c 54
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_2 (CBOR Data Item) (9 bytes) Signature_or_MAC_2 (CBOR Data Item) (9 bytes)
48 fa 5e fa 2e bf 92 0b f3 48 09 43 30 5c 89 9f 5c 54
]]></artwork> ]]></artwork>
<t>The Responder constructs PLAINTEXT_2:</t> <t>The Responder constructs PLAINTEXT_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_2 = PLAINTEXT_2 =
( (
C_R, C_R,
ID_CRED_R / bstr / -24..23, ID_CRED_R / bstr / -24..23,
Signature_or_MAC_2, Signature_or_MAC_2,
? EAD_2 ? EAD_2
) )
]]></artwork> ]]></artwork>
<t>Since ID_CRED_R contains a single 'kid' parameter, only the byte stri ng value is included in the plaintext, represented as described in <xref section ="3.3.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>. The CBOR map { 4 : h '32' } is thus replaced, not by the CBOR byte string 0x4132, but by the CBOR int 0x32, since that is a one byte encoding of a CBOR integer (-19).</t> <t>Since ID_CRED_R contains a single 'kid' parameter, only the byte stri ng value is included in the plaintext, represented as described in <xref section ="3.3.2" sectionFormat="of" target="RFC9528"/>. The CBOR map { 4 : h'32' } is th us replaced, not by the CBOR byte string 0x4132, but by the CBOR int 0x32, since that is a one-byte encoding of a CBOR integer (-19).</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_2 (CBOR Sequence) (11 bytes) PLAINTEXT_2 (CBOR Sequence) (11 bytes)
27 32 48 fa 5e fa 2e bf 92 0b f3 27 32 48 09 43 30 5c 89 9f 5c 54
]]></artwork> ]]></artwork>
<t>The input needed to calculate KEYSTREAM_2 is defined in <xref section ="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, using EDHOC_Expand() with the EDHOC hash algorithm:</t> <t>The input needed to calculate KEYSTREAM_2 is defined in <xref section ="4.1.2" sectionFormat="of" target="RFC9528"/>, using EDHOC_Expand() with the ED HOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length ) = KEYSTREAM_2 = EDHOC_KDF( PRK_2e, 0, TH_2, plaintext_length )
= HKDF-Expand( PRK_2e, info, plaintext_length ) = HKDF-Expand( PRK_2e, info, plaintext_length )
]]></artwork> ]]></artwork>
<t>where plaintext_length is the length in bytes of PLAINTEXT_2, and inf o for KEYSTREAM_2 is:</t> <t>where plaintext_length is the length in bytes of PLAINTEXT_2, and inf o for KEYSTREAM_2 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
0, 0,
h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d h'356efd53771425e008f3fe3a86c83ff4c6b16e57028ff39d
5236c182b202084b', 5236c182b202084b',
11 11
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of PLAINTEXT_2.</t> <t>where the last value is the length in bytes of PLAINTEXT_2.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for KEYSTREAM_2 (CBOR Sequence) (36 bytes) info for KEYSTREAM_2 (CBOR Sequence) (36 bytes)
00 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 00 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57
02 8f f3 9d 52 36 c1 82 b2 02 08 4b 0b 02 8f f3 9d 52 36 c1 82 b2 02 08 4b 0b
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
KEYSTREAM_2 (Raw Value) (11 bytes) KEYSTREAM_2 (Raw Value) (11 bytes)
bf 50 e9 e7 ba d0 bb 68 17 33 99 bf 50 e9 e7 ba d0 bb 68 17 33 99
]]></artwork> ]]></artwork>
<t>The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and KEYSTREAM_2:</t> <t>The Responder calculates CIPHERTEXT_2 as XOR between PLAINTEXT_2 and KEYSTREAM_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
CIPHERTEXT_2 (Raw Value) (11 bytes) CIPHERTEXT_2 (Raw Value) (11 bytes)
98 62 a1 1d e4 2a 95 d7 85 38 6a 98 62 a1 ee f9 e0 e7 e1 88 6f cd
]]></artwork> ]]></artwork>
<t>The Responder constructs message_2:</t> <t>The Responder constructs message_2:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_2 = message_2 =
( (
G_Y_CIPHERTEXT_2, G_Y_CIPHERTEXT_2
) )
]]></artwork> ]]></artwork>
<t>where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of <t>where G_Y_CIPHERTEXT_2 is the bstr encoding of the concatenation of
the raw values of G_Y and CIPHERTEXT_2.</t> the raw values of G_Y and CIPHERTEXT_2.</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_2 (CBOR Sequence) (45 bytes) message_2 (CBOR Sequence) (45 bytes)
58 2b 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 58 2b 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 98 62 a1 1d e4 2a 95 d7 85 38 6a 42 2c 8e a0 f9 55 a1 3a 4f f5 d5 98 62 a1 ee f9 e0 e7 e1 88 6f cd
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="message3-1"> <section anchor="message3-1">
<name>message_3</name> <name>message_3</name>
<t>The transcript hash TH_3 is calculated using the EDHOC hash algorithm :</t> <t>The transcript hash TH_3 is calculated using the EDHOC hash algorithm :</t>
<t>TH_3 = H( TH_2, PLAINTEXT_2, CRED_R )</t> <t>TH_3 = H( TH_2, PLAINTEXT_2, CRED_R )</t>
<artwork><![CDATA[ <artwork><![CDATA[
Input to calculate TH_3 (CBOR Sequence) (140 bytes) Input to calculate TH_3 (CBOR Sequence) (140 bytes)
58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02 58 20 35 6e fd 53 77 14 25 e0 08 f3 fe 3a 86 c8 3f f4 c6 b1 6e 57 02
8f f3 9d 52 36 c1 82 b2 02 08 4b 27 32 48 fa 5e fa 2e bf 92 0b f3 a2 8f f3 9d 52 36 c1 82 b2 02 08 4b 27 32 48 09 43 30 5c 89 9f 5c 54 a2
02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20 02 6b 65 78 61 6d 70 6c 65 2e 65 64 75 08 a1 01 a5 01 02 02 41 32 20
01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17 01 21 58 20 bb c3 49 60 52 6e a4 d3 2e 94 0c ad 2a 23 41 48 dd c2 17
91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a 91 a1 2a fb cb ac 93 62 20 46 dd 44 f0 22 58 20 45 19 e2 57 23 6b 2a
0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf 0c e2 02 3f 09 31 f1 f3 86 ca 7a fd a6 4f cd e0 10 8c 22 4c 51 ea bf
60 72 60 72
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_3 (Raw Value) (32 bytes) TH_3 (Raw Value) (32 bytes)
df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be e6 dc 48 81 de d0 96 5e ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03 9d f0
9b df 89 d2 4a 54 f2 e5 9a bc 1b bf 0c 16 1b b3 15 5c
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_3 (CBOR Data Item) (34 bytes) TH_3 (CBOR Data Item) (34 bytes)
58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be e6 dc 48 81 de d0 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03
96 5e 9b df 89 d2 4a 54 f2 e5 9a 9d f0 bc 1b bf 0c 16 1b b3 15 5c
]]></artwork> ]]></artwork>
<t>Since METHOD = 3, the Initiator authenticates using static DH. The ED HOC key exchange algorithm is based on the same curve as for the ephemeral keys, which is P-256, since the selected cipher suite is 2.</t> <t>Since METHOD = 3, the Initiator authenticates using static DH. The ED HOC key exchange algorithm is based on the same curve as for the ephemeral keys, which is P-256, since the selected cipher suite is 2.</t>
<t>The Initiator's static Diffie-Hellman P-256 key pair:</t> <t>The Initiator's static Diffie-Hellman P-256 key pair consists of a pr ivate key and a public key:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's private authentication key Initiator's private authentication key
SK_I (Raw Value) (32 bytes) SK_I (Raw Value) (32 bytes)
fb 13 ad eb 65 18 ce e5 f8 84 17 66 08 41 14 2e 83 0a 81 fe 33 43 80 fb 13 ad eb 65 18 ce e5 f8 84 17 66 08 41 14 2e 83 0a 81 fe 33 43 80
a9 53 40 6a 13 05 e8 70 6b a9 53 40 6a 13 05 e8 70 6b
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's public authentication key, 'x'-coordinate Initiator's public authentication key, 'x'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66
0a 41 29 8c b4 30 7f 7e b6 0a 41 29 8c b4 30 7f 7e b6
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Initiator's public authentication key, 'y'-coordinate Initiator's public authentication key, 'y'-coordinate
(Raw Value) (32 bytes) (Raw Value) (32 bytes)
6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db
3c 2a 93 df 21 ff 3a ff c8 3c 2a 93 df 21 ff 3a ff c8
]]></artwork> ]]></artwork>
<t>Since I authenticates with static DH (METHOD = 3), PRK_4e3m is derive d <t>Since I authenticates with static DH (METHOD = 3), PRK_4e3m is derive d
from SALT_4e3m and G_IY.</t> from SALT_4e3m and G_IY.</t>
<t>The input needed to calculate SALT_4e3m is defined in <xref section=" 4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, using EDHOC_Expand() w ith the EDHOC hash algorithm:</t> <t>The input needed to calculate SALT_4e3m is defined in <xref section=" 4.1.2" sectionFormat="of" target="RFC9528"/>, using EDHOC_Expand() with the EDHO C hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length ) = SALT_4e3m = EDHOC_KDF( PRK_3e2m, 5, TH_3, hash_length )
= HKDF-Expand( PRK_3e2m, info, hash_length ) = HKDF-Expand( PRK_3e2m, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for SALT_4e3m is:</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for SALT_4e3m is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
5, 5,
h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
df89d24a54f2e59a', 1bbf0c161bb3155c',
32 32
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
info for SALT_4e3m (CBOR Sequence) (37 bytes) info for SALT_4e3m (CBOR Sequence) (37 bytes)
05 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be e6 dc 48 81 de 05 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07
d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 18 20 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
SALT_4e3m (Raw Value) (32 bytes) SALT_4e3m (Raw Value) (32 bytes)
84 f8 a2 a9 53 4d dd 78 dc c7 e7 6e 0d 4d f6 0b fa d7 cd 3a d6 e1 d5 cf dd f9 51 5a 7e 46 e7 b4 db ff 31 cb d5 6c d0 4b a3 32 25 0d e9 ea
31 c7 f3 73 a7 ed a5 2d 1c 5d e1 ca f9 f6 d1 39 14 a7
]]></artwork> ]]></artwork>
<t>PRK_4e3m is specified in <xref section="4.1.1.3" sectionFormat="of" t arget="I-D.ietf-lake-edhoc"/>.</t> <t>PRK_4e3m is specified in <xref section="4.1.1.3" sectionFormat="of" t arget="RFC9528"/>.</t>
<t>Since I authenticates with static DH (METHOD = 3), PRK_4e3m is derive d <t>Since I authenticates with static DH (METHOD = 3), PRK_4e3m is derive d
from G_IY using EDHOC_Extract() with the EDHOC hash algorithm:</t> from G_IY using EDHOC_Extract() with the EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_4e3m = EDHOC_Extract(SALT_4e3m, G_IY) = PRK_4e3m = EDHOC_Extract(SALT_4e3m, G_IY)
= HMAC-SHA-256(SALT_4e3m, G_IY) = HMAC-SHA-256(SALT_4e3m, G_IY)
]]></artwork> ]]></artwork>
<t>where G_IY is the ECDH shared secret calculated from G_I and Y, or G_ Y and I.</t> <t>where G_IY is the ECDH shared secret calculated from G_I and Y, or G_ Y and I.</t>
<artwork><![CDATA[ <artwork><![CDATA[
G_IY (Raw Value) (ECDH shared secret) (32 bytes) G_IY (Raw Value) (ECDH shared secret) (32 bytes)
08 0f 42 50 85 bc 62 49 08 9e ac 8f 10 8e a6 23 26 85 7e 12 ab 07 d7 08 0f 42 50 85 bc 62 49 08 9e ac 8f 10 8e a6 23 26 85 7e 12 ab 07 d7
20 28 ca 1b 5f 36 e0 04 b3 20 28 ca 1b 5f 36 e0 04 b3
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_4e3m (Raw Value) (32 bytes) PRK_4e3m (Raw Value) (32 bytes)
e9 cb 83 2a 24 00 95 d3 d0 64 3d be 12 e9 e2 e7 b1 8f 03 60 a3 17 2c 81 cc 8a 29 8e 35 70 44 e3 c4 66 bb 5c 0a 1e 50 7e 01 d4 92 38 ae ba
ea 7a c0 01 3e e2 40 e0 72 13 8d f9 46 35 40 7c 0f f7
]]></artwork> ]]></artwork>
<t>The Initiator constructs the remaining input needed to calculate MAC_ 3:</t> <t>The Initiator constructs the remaining input needed to calculate MAC_ 3:</t>
<t>MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )</t> <t>MAC_3 = EDHOC_KDF( PRK_4e3m, 6, context_3, mac_length_3 )</t>
<t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t> <t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t>
<t>CRED_I is identified by a 'kid' with byte string value 0x2b:</t> <t>CRED_I is identified by a 'kid' with byte string value 0x2b:</t>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_I = ID_CRED_I =
{ {
4 : h'2b' 4 : h'2b'
} }
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
ID_CRED_I (CBOR Data Item) (4 bytes) ID_CRED_I (CBOR Data Item) (4 bytes)
a1 04 41 2b a1 04 41 2b
]]></artwork> ]]></artwork>
<t>CRED_I is an RPK encoded as a CCS:</t> <t>CRED_I is an RPK encoded as a CCS:</t>
<artwork><![CDATA[ <artwork><![CDATA[
{ /CCS/ { /CCS/
2 : "42-50-31-FF-EF-37-32-39", /sub/ 2 : "42-50-31-FF-EF-37-32-39", /sub/
8 : { /cnf/ 8 : { /cnf/
1 : { /COSE_Key/ 1 : { /COSE_Key/
1 : 2, /kty/ 1 : 2, /kty/
2 : h'2b', /kid/ 2 : h'2b', /kid/
-1 : 1, /crv/ -1 : 1, /crv/
-2 : h'AC75E9ECE3E50BFC8ED6039988952240 -2 : h'ac75e9ece3e50bfc8ed6039988952240
5C47BF16DF96660A41298CB4307F7EB6' /x/ 5c47bf16df96660a41298cb4307f7eb6' /x/
-3 : h'6E5DE611388A4B8A8211334AC7D37ECB -3 : h'6e5de611388a4b8a8211334ac7d37ecb
52A387D257E6DB3C2A93DF21FF3AFFC8' /y/ 52a387d257e6db3c2a93df21ff3affc8' /y/
} }
} }
} }
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
CRED_I (CBOR Data Item) (107 bytes) CRED_I (CBOR Data Item) (107 bytes)
a2 02 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 a2 02 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32
2d 33 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 2d 33 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5
0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 0b fc 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30
7f 7e b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 7f 7e b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52
a3 87 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8 a3 87 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8
]]></artwork> ]]></artwork>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<artwork><![CDATA[ <artwork><![CDATA[
EAD_3 (CBOR Sequence) (0 bytes) EAD_3 (CBOR Sequence) (0 bytes)
]]></artwork> ]]></artwork>
<t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t> <t>context_3 = &lt;&lt; ID_CRED_I, TH_3, CRED_I, ? EAD_3 &gt;&gt;</t>
<artwork><![CDATA[ <artwork><![CDATA[
context_3 (CBOR Sequence) (145 bytes) context_3 (CBOR Sequence) (145 bytes)
a1 04 41 2b 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be e6 dc a1 04 41 2b 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00
48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a a2 02 77 34 32 2d 35 30 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32 2d 35 30
2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01 a5 01 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01 a5 01
02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 88 95
22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20 6e 5d 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20 6e 5d
e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db 3c 2a e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db 3c 2a
93 df 21 ff 3a ff c8 93 df 21 ff 3a ff c8
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
context_3 (CBOR byte string) (147 bytes) context_3 (CBOR byte string) (147 bytes)
58 91 a1 04 41 2b 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be 58 91 a1 04 41 2b 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7
e6 dc 48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a a2 02 77 34 32 2d 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32 2d
35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 01
a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 99
88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 20
6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 db
3c 2a 93 df 21 ff 3a ff c8 3c 2a 93 df 21 ff 3a ff c8
]]></artwork> ]]></artwork>
<t>MAC_3 is computed through EDHOC_Expand() using the EDHOC hash algorit hm, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>: </t> <t>MAC_3 is computed through EDHOC_Expand() using the EDHOC hash algorit hm (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>):</t>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_3 = HKDF-Expand(PRK_4e3m, info, mac_length_3), where MAC_3 = HKDF-Expand( PRK_4e3m, info, mac_length_3 )
]]></artwork>
<t>where</t>
<artwork><![CDATA[
info = ( 6, context_3, mac_length_3 )
]]></artwork> ]]></artwork>
<t>info = ( 6, context_3, mac_length_3 )</t>
<t>Since METHOD = 3, mac_length_3 is given by the EDHOC MAC length.</t> <t>Since METHOD = 3, mac_length_3 is given by the EDHOC MAC length.</t>
<t>info for MAC_3 is:</t> <t>info for MAC_3 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
6, 6,
h'a104412b5820dfe5b065e64c72d226d500c12d49bee6dc48 h'a104412b5820adaf67a78a4bcc91e018f8882762a722000b
81ded0965e9bdf89d24a54f2e59aa2027734322d35302d33 2507039df0bc1bbf0c161bb3155ca2027734322d35302d33
312d46462d45462d33372d33322d333908a101a501020241 312d46462d45462d33372d33322d333908a101a501020241
2b2001215820ac75e9ece3e50bfc8ed60399889522405c47 2b2001215820ac75e9ece3e50bfc8ed60399889522405c47
bf16df96660a41298cb4307f7eb62258206e5de611388a4b bf16df96660a41298cb4307f7eb62258206e5de611388a4b
8a8211334ac7d37ecb52a387d257e6db3c2a93df21ff3aff 8a8211334ac7d37ecb52a387d257e6db3c2a93df21ff3aff
c8', c8',
8 8
) )
]]></artwork> ]]></artwork>
<t>where the last value is the EDHOC MAC length in bytes.</t> <t>where the last value is the EDHOC MAC length in bytes.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for MAC_3 (CBOR Sequence) (149 bytes) info for MAC_3 (CBOR Sequence) (149 bytes)
06 58 91 a1 04 41 2b 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 06 58 91 a1 04 41 2b 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62
be e6 dc 48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a a2 02 77 34 32 a7 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c a2 02 77 34 32
2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 39 08 a1
01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 8e d6 03
99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e b6 22 58
20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 d2 57 e6
db 3c 2a 93 df 21 ff 3a ff c8 08 db 3c 2a 93 df 21 ff 3a ff c8 08
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_3 (Raw Value) (8 bytes) MAC_3 (Raw Value) (8 bytes)
a5 ee b9 ef fd ab fc 39 62 3c 91 df 41 e3 4c 2f
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
MAC_3 (CBOR Data Item) (9 bytes) MAC_3 (CBOR Data Item) (9 bytes)
48 a5 ee b9 ef fd ab fc 39 48 62 3c 91 df 41 e3 4c 2f
]]></artwork> ]]></artwork>
<t>Since METHOD = 3, Signature_or_MAC_3 is MAC_3:</t> <t>Since METHOD = 3, Signature_or_MAC_3 is MAC_3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_3 (Raw Value) (8 bytes) Signature_or_MAC_3 (Raw Value) (8 bytes)
a5 ee b9 ef fd ab fc 39 62 3c 91 df 41 e3 4c 2f
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Signature_or_MAC_3 (CBOR Data Item) (9 bytes) Signature_or_MAC_3 (CBOR Data Item) (9 bytes)
48 a5 ee b9 ef fd ab fc 39 48 62 3c 91 df 41 e3 4c 2f
]]></artwork> ]]></artwork>
<t>The Initiator constructs PLAINTEXT_3:</t> <t>The Initiator constructs PLAINTEXT_3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_3 = PLAINTEXT_3 =
( (
ID_CRED_I / bstr / -24..23, ID_CRED_I / bstr / -24..23,
Signature_or_MAC_3, Signature_or_MAC_3,
? EAD_3 ? EAD_3
) )
]]></artwork> ]]></artwork>
<t>Since ID_CRED_I contains a single 'kid' parameter, only the byte stri ng value is included in the plaintext, represented as described in <xref section ="3.3.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>. The CBOR map { 4 : h '2b' } is thus replaced, not by the CBOR byte string 0x412b, but by the CBOR int 0x2b, since that is a one byte encoding of a CBOR integer (-12).</t> <t>Since ID_CRED_I contains a single 'kid' parameter, only the byte stri ng value is included in the plaintext, represented as described in <xref section ="3.3.2" sectionFormat="of" target="RFC9528"/>. The CBOR map { 4 : h'2b' } is th us replaced, not by the CBOR byte string 0x412b, but by the CBOR int 0x2b, since that is a one-byte encoding of a CBOR integer (-12).</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_3 (CBOR Sequence) (10 bytes) PLAINTEXT_3 (CBOR Sequence) (10 bytes)
2b 48 a5 ee b9 ef fd ab fc 39 2b 48 62 3c 91 df 41 e3 4c 2f
]]></artwork> ]]></artwork>
<t>The Initiator constructs the associated data for message_3:</t> <t>The Initiator constructs the associated data for message_3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
A_3 = A_3 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
df89d24a54f2e59a' 1bbf0c161bb3155c'
] ]
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
A_3 (CBOR Data Item) (45 bytes) A_3 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 83 68 45 6e 63 72 79 70 74 30 40 58 20 ad af 67 a7 8a 4b cc 91 e0 18
00 c1 2d 49 be e6 dc 48 81 de d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a f8 88 27 62 a7 22 00 0b 25 07 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c
]]></artwork> ]]></artwork>
<t>The Initiator constructs the input needed to derive the key K_3, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, using t he EDHOC hash algorithm:</t> <t>The Initiator constructs the input needed to derive the key K_3 (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using the EDHOC has h algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length ) K_3 = EDHOC_KDF( PRK_3e2m, 3, TH_3, key_length )
= HKDF-Expand( PRK_3e2m, info, key_length ), = HKDF-Expand( PRK_3e2m, info, key_length )
]]></artwork> ]]></artwork>
<t>where key_length is the key length in bytes for the EDHOC AEAD algori thm, and info for K_3 is:</t> <t>where key_length is the key length in bytes for the EDHOC AEAD algori thm, and info for K_3 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
3, 3,
h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
df89d24a54f2e59a', 1bbf0c161bb3155c',
16 16
) )
]]></artwork> ]]></artwork>
<t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t> <t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for K_3 (CBOR Sequence) (36 bytes) info for K_3 (CBOR Sequence) (36 bytes)
03 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be e6 dc 48 81 de 03 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07
d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 10 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
K_3 (Raw Value) (16 bytes) K_3 (Raw Value) (16 bytes)
ab 3b 2b 52 a0 4b 6a a3 2f 96 31 19 16 88 3a dd 8e 7a 30 04 20 00 f7 90 0e 81 74 13 1f 75 f3 ed
]]></artwork> ]]></artwork>
<t>The Initiator constructs the input needed to derive the nonce IV_3, s ee <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>, usin g the EDHOC hash algorithm:</t> <t>The Initiator constructs the input needed to derive the nonce IV_3 (s ee <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using the EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length ) IV_3 = EDHOC_KDF( PRK_3e2m, 4, TH_3, iv_length )
= HKDF-Expand( PRK_3e2m, info, iv_length ), = HKDF-Expand( PRK_3e2m, info, iv_length )
]]></artwork> ]]></artwork>
<t>where iv_length is the nonce length in bytes for the EDHOC AEAD algor ithm, and info for IV_3 is:</t> <t>where iv_length is the nonce length in bytes for the EDHOC AEAD algor ithm, and info for IV_3 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
4, 4,
h'dfe5b065e64c72d226d500c12d49bee6dc4881ded0965e9b h'adaf67a78a4bcc91e018f8882762a722000b2507039df0bc
df89d24a54f2e59a', 1bbf0c161bb3155c',
13 13
) )
]]></artwork> ]]></artwork>
<t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t> <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for IV_3 (CBOR Sequence) (36 bytes) info for IV_3 (CBOR Sequence) (36 bytes)
04 58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be e6 dc 48 81 de 04 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07
d0 96 5e 9b df 89 d2 4a 54 f2 e5 9a 0d 03 9d f0 bc 1b bf 0c 16 1b b3 15 5c 0d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
IV_3 (Raw Value) (13 bytes) IV_3 (Raw Value) (13 bytes)
05 55 cf a1 6e 40 8d e5 e1 52 3d 04 7d 6d 83 00 c1 e2 3b 56 15 3a e7 0e e4 57
]]></artwork> ]]></artwork>
<t>The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of COSE_Encrypt 0 applied <t>The Initiator calculates CIPHERTEXT_3 as 'ciphertext' of COSE_Encrypt 0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_3, additional data using the EDHOC AEAD algorithm with plaintext PLAINTEXT_3, additional data
A_3, key K_3 and nonce IV_3.</t> A_3, key K_3, and nonce IV_3.</t>
<artwork><![CDATA[ <artwork><![CDATA[
CIPHERTEXT_3 (Raw Value) (18 bytes) CIPHERTEXT_3 (Raw Value) (18 bytes)
47 3d d1 60 77 dd 71 d6 5b 56 e6 bd 71 e7 a4 9d 60 12 e5 62 09 7b c4 17 dd 59 19 48 5a c7 89 1f fd 90 a9 fc
]]></artwork> ]]></artwork>
<t>message_3 is the CBOR bstr encoding of CIPHERTEXT_3:</t> <t>message_3 is the CBOR bstr encoding of CIPHERTEXT_3:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_3 (CBOR Sequence) (19 bytes) message_3 (CBOR Sequence) (19 bytes)
52 47 3d d1 60 77 dd 71 d6 5b 56 e6 bd 71 e7 a4 9d 60 12 52 e5 62 09 7b c4 17 dd 59 19 48 5a c7 89 1f fd 90 a9 fc
]]></artwork> ]]></artwork>
<t>The transcript hash TH_4 is calculated using the EDHOC hash algorithm :</t> <t>The transcript hash TH_4 is calculated using the EDHOC hash algorithm :</t>
<t>TH_4 = H( TH_3, PLAINTEXT_3, CRED_I )</t> <t>TH_4 = H( TH_3, PLAINTEXT_3, CRED_I )</t>
<artwork><![CDATA[ <artwork><![CDATA[
Input to calculate TH_4 (CBOR Sequence) (151 bytes) Input to calculate TH_4 (CBOR Sequence) (151 bytes)
58 20 df e5 b0 65 e6 4c 72 d2 26 d5 00 c1 2d 49 be e6 dc 48 81 de d0 58 20 ad af 67 a7 8a 4b cc 91 e0 18 f8 88 27 62 a7 22 00 0b 25 07 03
96 5e 9b df 89 d2 4a 54 f2 e5 9a 2b 48 a5 ee b9 ef fd ab fc 39 a2 02 9d f0 bc 1b bf 0c 16 1b b3 15 5c 2b 48 62 3c 91 df 41 e3 4c 2f a2 02
77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33 77 34 32 2d 35 30 2d 33 31 2d 46 46 2d 45 46 2d 33 37 2d 33 32 2d 33
39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc 39 08 a1 01 a5 01 02 02 41 2b 20 01 21 58 20 ac 75 e9 ec e3 e5 0b fc
8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e 8e d6 03 99 88 95 22 40 5c 47 bf 16 df 96 66 0a 41 29 8c b4 30 7f 7e
b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87 b6 22 58 20 6e 5d e6 11 38 8a 4b 8a 82 11 33 4a c7 d3 7e cb 52 a3 87
d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8 d2 57 e6 db 3c 2a 93 df 21 ff 3a ff c8
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_4 (Raw Value) (32 bytes) TH_4 (Raw Value) (32 bytes)
ba f6 0a db c5 00 fc e7 89 af 25 b1 08 ad a2 27 55 75 05 6c 52 c1 c2 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06 76 56 12
03 6a 2d a4 a6 43 89 1c b4 e5 2b 5d 99 e6 05 9d 6b 6e
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
TH_4 (CBOR Data Item) (34 bytes) TH_4 (CBOR Data Item) (34 bytes)
58 20 ba f6 0a db c5 00 fc e7 89 af 25 b1 08 ad a2 27 55 75 05 6c 52 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06 76
c1 c2 03 6a 2d a4 a6 43 89 1c b4 56 12 e5 2b 5d 99 e6 05 9d 6b 6e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="message4-1"> <section anchor="message4-1">
<name>message_4</name> <name>message_4</name>
<t>No external authorization data:</t> <t>No external authorization data:</t>
<t>EAD_4 (CBOR Sequence) (0 bytes)</t> <artwork><![CDATA[
EAD_4 (CBOR Sequence) (0 bytes)
]]></artwork>
<t>The Responder constructs PLAINTEXT_4:</t> <t>The Responder constructs PLAINTEXT_4:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PLAINTEXT_4 = PLAINTEXT_4 =
( (
? EAD_4 ? EAD_4
) )
]]></artwork> ]]></artwork>
<t>PLAINTEXT_4 (CBOR Sequence) (0 bytes)</t> <artwork><![CDATA[
PLAINTEXT_4 (CBOR Sequence) (0 bytes)
]]></artwork>
<t>The Responder constructs the associated data for message_4:</t> <t>The Responder constructs the associated data for message_4:</t>
<artwork><![CDATA[ <artwork><![CDATA[
A_4 = A_4 =
[ [
"Encrypt0", "Encrypt0",
h'', h'',
h'baf60adbc500fce789af25b108ada2275575056c52c1c203 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
6a2da4a643891cb4' 2b5d99e6059d6b6e'
] ]
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
A_4 (CBOR Data Item) (45 bytes) A_4 (CBOR Data Item) (45 bytes)
83 68 45 6e 63 72 79 70 74 30 40 58 20 ba f6 0a db c5 00 fc e7 89 af 83 68 45 6e 63 72 79 70 74 30 40 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55
25 b1 08 ad a2 27 55 75 05 6c 52 c1 c2 03 6a 2d a4 a6 43 89 1c b4 1f 5f 3a a6 c5 ec c0 24 68 06 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e
]]></artwork> ]]></artwork>
<t>The Responder constructs the input needed to derive the EDHOC message _4 key, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edhoc "/>, using the EDHOC hash algorithm:</t> <t>The Responder constructs the input needed to derive the EDHOC message _4 key (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using t he EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length ) K_4 = EDHOC_KDF( PRK_4e3m, 8, TH_4, key_length )
= HKDF-Expand( PRK_4e3m, info, key_length ) = HKDF-Expand( PRK_4e3m, info, key_length )
]]></artwork> ]]></artwork>
<t>where key_length is the key length in bytes for the EDHOC AEAD algori thm, <t>where key_length is the key length in bytes for the EDHOC AEAD algori thm,
and info for K_4 is:</t> and info for K_4 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
8, 8,
h'baf60adbc500fce789af25b108ada2275575056c52c1c203 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
6a2da4a643891cb4', 2b5d99e6059d6b6e',
16 16
) )
]]></artwork> ]]></artwork>
<t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t> <t>where the last value is the key length in bytes for the EDHOC AEAD al gorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for K_4 (CBOR Sequence) (36 bytes) info for K_4 (CBOR Sequence) (36 bytes)
08 58 20 ba f6 0a db c5 00 fc e7 89 af 25 b1 08 ad a2 27 55 75 05 6c 08 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06
52 c1 c2 03 6a 2d a4 a6 43 89 1c b4 10 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
K_4 (Raw Value) (16 bytes) K_4 (Raw Value) (16 bytes)
22 9d 4c 1d 6d 02 33 7b 1c e3 81 a2 bf a7 9b 2e d3 c7 78 72 b6 ee b5 08 91 1b db d3 08 b2 e6 a0
]]></artwork> ]]></artwork>
<t>The Responder constructs the input needed to derive the EDHOC message _4 nonce, see <xref section="4.1.2" sectionFormat="of" target="I-D.ietf-lake-edh oc"/>, using the EDHOC hash algorithm:</t> <t>The Responder constructs the input needed to derive the EDHOC message _4 nonce (see <xref section="4.1.2" sectionFormat="of" target="RFC9528"/>) using the EDHOC hash algorithm:</t>
<artwork><![CDATA[ <artwork><![CDATA[
IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length ) IV_4 = EDHOC_KDF( PRK_4e3m, 9, TH_4, iv_length )
= HKDF-Expand( PRK_4e3m, info, iv_length ) = HKDF-Expand( PRK_4e3m, info, iv_length )
]]></artwork> ]]></artwork>
<t>where iv_length is the nonce length in bytes for the EDHOC AEAD algor ithm, <t>where iv_length is the nonce length in bytes for the EDHOC AEAD algor ithm,
and info for IV_4 is:</t> and info for IV_4 is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
9, 9,
h'baf60adbc500fce789af25b108ada2275575056c52c1c203 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
6a2da4a643891cb4', 2b5d99e6059d6b6e',
13 13
) )
]]></artwork> ]]></artwork>
<t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t> <t>where the last value is the nonce length in bytes for the EDHOC AEAD algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for IV_4 (CBOR Sequence) (36 bytes) info for IV_4 (CBOR Sequence) (36 bytes)
09 58 20 ba f6 0a db c5 00 fc e7 89 af 25 b1 08 ad a2 27 55 75 05 6c 09 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06
52 c1 c2 03 6a 2d a4 a6 43 89 1c b4 0d 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 0d
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
IV_4 (Raw Value) (13 bytes) IV_4 (Raw Value) (13 bytes)
98 4d 59 ab 25 5e 3d c6 f8 e0 65 5c b6 04 ff 0f 44 45 6e 96 e2 17 85 3c 36 01
]]></artwork> ]]></artwork>
<t>The Responder calculates CIPHERTEXT_4 as 'ciphertext' of COSE_Encrypt 0 applied <t>The Responder calculates CIPHERTEXT_4 as 'ciphertext' of COSE_Encrypt 0 applied
using the EDHOC AEAD algorithm with plaintext PLAINTEXT_4, additional data using the EDHOC AEAD algorithm with plaintext PLAINTEXT_4, additional data
A_4, key K_4 and nonce IV_4.</t> A_4, key K_4, and nonce IV_4.</t>
<artwork><![CDATA[ <artwork><![CDATA[
CIPHERTEXT_4 (8 bytes) CIPHERTEXT_4 (8 bytes)
89 07 43 64 70 a6 e1 9f 28 c9 66 b7 ca 30 4f 83
]]></artwork> ]]></artwork>
<t>message_4 is the CBOR bstr encoding of CIPHERTEXT_4:</t> <t>message_4 is the CBOR bstr encoding of CIPHERTEXT_4:</t>
<artwork><![CDATA[ <artwork><![CDATA[
message_4 (CBOR Sequence) (9 bytes) message_4 (CBOR Sequence) (9 bytes)
48 89 07 43 64 70 a6 e1 9f 48 28 c9 66 b7 ca 30 4f 83
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="out-and-exporter2"> <section anchor="out-and-exporter2">
<name>PRK_out and PRK_exporter</name> <name>PRK_out and PRK_exporter</name>
<t>PRK_out is specified in <xref section="4.1.3" sectionFormat="of" targ et="I-D.ietf-lake-edhoc"/>.</t> <t>PRK_out is specified in <xref section="4.1.3" sectionFormat="of" targ et="RFC9528"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length ) = PRK_out = EDHOC_KDF( PRK_4e3m, 7, TH_4, hash_length )
= HKDF-Expand( PRK_4e3m, info, hash_length ) = HKDF-Expand( PRK_4e3m, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for PRK_out is:</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for PRK_out is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
7, 7,
h'baf60adbc500fce789af25b108ada2275575056c52c1c203 h'c902b1e3a4326c93c5551f5f3aa6c5ecc0246806765612e5
6a2da4a643891cb4', 2b5d99e6059d6b6e',
32 32
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t> <t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for PRK_out (CBOR Sequence) (37 bytes) info for PRK_out (CBOR Sequence) (37 bytes)
07 58 20 ba f6 0a db c5 00 fc e7 89 af 25 b1 08 ad a2 27 55 75 05 6c 07 58 20 c9 02 b1 e3 a4 32 6c 93 c5 55 1f 5f 3a a6 c5 ec c0 24 68 06
52 c1 c2 03 6a 2d a4 a6 43 89 1c b4 18 20 76 56 12 e5 2b 5d 99 e6 05 9d 6b 6e 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_out (Raw Value) (32 bytes) PRK_out (Raw Value) (32 bytes)
6b 2d ae 40 32 30 65 71 cf bc 2e 4f 94 a2 55 fb 9f 1f 3f b2 9c a6 f3 2c 71 af c1 a9 33 8a 94 0b b3 52 9c a7 34 b8 86 f3 0d 1a ba 0b 4d c5
79 fe c9 89 d4 fa 90 dc f0 1b ee ae ab df ea 9e cb f8
]]></artwork> ]]></artwork>
<t>The OSCORE Master Secret and OSCORE Master Salt are derived with the EDHOC_Exporter as specified in 4.2.1 of <xref target="I-D.ietf-lake-edhoc"/>.</t > <t>The OSCORE Master Secret and OSCORE Master Salt are derived with the EDHOC_Exporter as specified in <xref target="RFC9528" sectionFormat="of" section ="4.2.1"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
EDHOC_Exporter( label, context, length ) EDHOC_Exporter( exporter_label, context, length )
= EDHOC_KDF( PRK_exporter, label, context, length ) = EDHOC_KDF( PRK_exporter, exporter_label, context, length )
]]></artwork> ]]></artwork>
<t>where PRK_exporter is derived from PRK_out:</t> <t>where PRK_exporter is derived from PRK_out:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for the PRK_exporter is:</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash algorithm, and info for the PRK_exporter is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
10, 10,
h'', h'',
32 32
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t> <t>where the last value is the length in bytes of the output of the EDHO C hash algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for PRK_exporter (CBOR Sequence) (4 bytes) info for PRK_exporter (CBOR Sequence) (4 bytes)
0a 40 18 20 0a 40 18 20
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter (Raw Value) (32 bytes) PRK_exporter (Raw Value) (32 bytes)
4f 0a 5a 82 3d 06 d0 00 5e 1b ec da 8a 6e 61 f3 c8 c6 7a 8b 15 da 7d e1 4d 06 69 9c ee 24 8c 5a 04 bf 92 27 bb cd 4c e3 94 de 7d cb 56 db
44 d3 58 5e c5 85 4e 91 e2 43 55 54 74 17 1e 64 46 db
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="oscore-parameters"> <section anchor="oscore-parameters">
<name>OSCORE Parameters</name> <name>OSCORE Parameters</name>
<t>The derivation of OSCORE parameters is specified in <xref section="A. <t>The derivation of OSCORE parameters is specified in <xref section="A.
1" sectionFormat="of" target="I-D.ietf-lake-edhoc"/>.</t> 1" sectionFormat="of" target="RFC9528"/>.</t>
<t>The AEAD and Hash algorithms to use in OSCORE are given by the select <t>The AEAD and hash algorithms to use in OSCORE are given by the select
ed cipher suite:</t> ed cipher suite:</t>
<artwork><![CDATA[ <artwork><![CDATA[
Application AEAD Algorithm (int) Application AEAD Algorithm (int)
10 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
Application Hash Algorithm (int) Application Hash Algorithm (int)
-16 -16
]]></artwork> ]]></artwork>
<t>The mapping from EDHOC connection identifiers to OSCORE Sender/Recipi ent IDs <t>The mapping from EDHOC connection identifiers to OSCORE Sender/Recipi ent IDs
is defined in <xref section="3.3.3" sectionFormat="of" target="I-D.ietf-lake-edh oc"/>.</t> is defined in <xref section="3.3.3" sectionFormat="of" target="RFC9528"/>.</t>
<t>C_R is mapped to the Recipient ID of the server, i.e., the Sender ID of the client. The byte string 0x27, which as C_R is encoded as the CBOR integer 0x27, is converted to the server Recipient ID 0x27.</t> <t>C_R is mapped to the Recipient ID of the server, i.e., the Sender ID of the client. The byte string 0x27, which as C_R is encoded as the CBOR integer 0x27, is converted to the server Recipient ID 0x27.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Client's OSCORE Sender ID (Raw Value) (1 byte) Client's OSCORE Sender ID (Raw Value) (1 byte)
27 27
]]></artwork> ]]></artwork>
<t>C_I is mapped to the Recipient ID of the client, i.e., the Sender ID of the server. The byte string 0x37, which as C_I is encoded as the CBOR integer 0x0e is converted to the client Recipient ID 0x37.</t> <t>C_I is mapped to the Recipient ID of the client, i.e., the Sender ID of the server. The byte string 0x37, which as C_I is encoded as the CBOR integer 0x0e, is converted to the client Recipient ID 0x37.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Server's OSCORE Sender ID (Raw Value) (1 byte) Server's OSCORE Sender ID (Raw Value) (1 byte)
37 37
]]></artwork> ]]></artwork>
<t>The OSCORE Master Secret is computed through EDHOC_Expand() using the <t>The OSCORE Master Secret is computed through EDHOC_Expand() using the
Application hash algorithm, see <xref section="A.1" sectionFormat="of" target="I -D.ietf-lake-edhoc"/>:</t> application hash algorithm (see <xref section="A.1" sectionFormat="of" target="R FC9528"/>):</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length ) OSCORE Master Secret = EDHOC_Exporter( 0, h'', oscore_key_length )
= EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length ) = EDHOC_KDF( PRK_exporter, 0, h'', oscore_key_length )
= HKDF-Expand( PRK_exporter, info, oscore_key_length ) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
]]></artwork> ]]></artwork>
<t>where oscore_key_length is by default the key length in bytes for the Application AEAD <t>where oscore_key_length is by default the key length in bytes for the application AEAD
algorithm, and info for the OSCORE Master Secret is:</t> algorithm, and info for the OSCORE Master Secret is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
0, 0,
h'', h'',
16 16
) )
]]></artwork> ]]></artwork>
<t>where the last value is the key length in bytes for the Application A EAD algorithm.</t> <t>where the last value is the key length in bytes for the application A EAD algorithm.</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for OSCORE Master Secret (CBOR Sequence) (3 bytes) info for OSCORE Master Secret (CBOR Sequence) (3 bytes)
00 40 10 00 40 10
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret (Raw Value) (16 bytes) OSCORE Master Secret (Raw Value) (16 bytes)
8c 40 9a 33 22 23 ad 90 0e 44 f3 43 4d 2d 2c e3 f9 86 8f 6a 3a ca 78 a0 5d 14 85 b3 50 30 b1 62
]]></artwork> ]]></artwork>
<t>The OSCORE Master Salt is computed through EDHOC_Expand() using the A pplication hash algorithm, see <xref section="4.2" sectionFormat="of" target="I- D.ietf-lake-edhoc"/>:</t> <t>The OSCORE Master Salt is computed through EDHOC_Expand() using the a pplication hash algorithm (see <xref section="4.2" sectionFormat="of" target="RF C9528"/>):</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length ) OSCORE Master Salt = EDHOC_Exporter( 1, h'', oscore_salt_length )
= EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length ) = EDHOC_KDF( PRK_exporter, 1, h'', oscore_salt_length )
= HKDF-Expand( PRK_4x3m, info, oscore_salt_length ) = HKDF-Expand( PRK_4x3m, info, oscore_salt_length )
]]></artwork> ]]></artwork>
<t>where oscore_salt_length is the length in bytes of the OSCORE Master Salt, and info for the OSCORE Master Salt is:</t> <t>where oscore_salt_length is the length in bytes of the OSCORE Master Salt, and info for the OSCORE Master Salt is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
1, 1,
h'', h'',
8 8
) )
]]></artwork> ]]></artwork>
<t>where the last value is the length in bytes of the OSCORE Master Salt .</t> <t>where the last value is the length in bytes of the OSCORE Master Salt .</t>
<artwork><![CDATA[ <artwork><![CDATA[
info for OSCORE Master Salt (CBOR Sequence) (3 bytes) info for OSCORE Master Salt (CBOR Sequence) (3 bytes)
01 40 08 01 40 08
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt (Raw Value) (8 bytes) OSCORE Master Salt (Raw Value) (8 bytes)
61 63 f4 4b e8 62 ad fa ad a2 4c 7d bf c8 5e eb
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="key-update-1"> <section anchor="key-update-1">
<name>Key Update</name> <name>Key Update</name>
<t>Key update is defined in <xref section="H" sectionFormat="of" target= "I-D.ietf-lake-edhoc"/>.</t> <t>The key update is defined in <xref section="H" sectionFormat="of" tar get="RFC9528"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
EDHOC_KeyUpdate( context ): EDHOC_KeyUpdate( context ):
PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length ) PRK_out = EDHOC_KDF( PRK_out, 11, context, hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork> ]]></artwork>
<t>where hash_length is the length in bytes of the output of the EDHOC h ash function, context for KeyUpdate is</t> <t>where hash_length is the length in bytes of the output of the EDHOC h ash function, and the context for KeyUpdate is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
context for KeyUpdate (Raw Value) (16 bytes) context for KeyUpdate (Raw Value) (16 bytes)
a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea
]]></artwork> ]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
context for KeyUpdate (CBOR Data Item) (17 bytes) context for KeyUpdate (CBOR Data Item) (17 bytes)
50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea 50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea
]]></artwork> ]]></artwork>
<t>and where info for key update is:</t> <t>and where info for the key update is:</t>
<artwork><![CDATA[ <artwork><![CDATA[
info = info =
( (
11, 11,
h'a01158fdb820890cd6be169602b8bcea', h'a01158fdb820890cd6be169602b8bcea',
32 32
) )
]]></artwork> ]]></artwork>
<artwork><![CDATA[
info for KeyUpdate (CBOR Sequence) (20 bytes)
0b 50 a0 11 58 fd b8 20 89 0c d6 be 16 96 02 b8 bc ea 18 20
]]></artwork>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_out after KeyUpdate (Raw Value) (32 bytes) PRK_out after KeyUpdate (Raw Value) (32 bytes)
5e 5e fc ae dd a8 d1 85 bb 7e 26 1d f1 91 59 1c d9 f7 c9 20 49 e7 0c f9 79 53 77 43 fe 0b d6 b9 b1 41 dd bd 79 65 6c 52 e6 dc 7c 50 ad 80
23 f6 b4 34 e3 6d fc 1d 1c 77 54 d7 4d 07 e8 7d 0d 16
]]></artwork> ]]></artwork>
<t>After key update the PRK_exporter needs to be derived anew:</t> <t>After the key update, the PRK_exporter needs to be derived anew:</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length ) = PRK_exporter = EDHOC_KDF( PRK_out, 10, h'', hash_length )
= HKDF-Expand( PRK_out, info, hash_length ) = HKDF-Expand( PRK_out, info, hash_length )
]]></artwork> ]]></artwork>
<t>where info and hash_length are unchanged as in <xref target="out-and- exporter2"/>.</t> <t>where info and hash_length are unchanged as in <xref target="out-and- exporter2"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
PRK_exporter (Raw Value) (32 bytes) PRK_exporter after KeyUpdate (Raw Value) (32 bytes)
bb b3 b7 72 6e 97 9c 1b b3 46 a3 f9 2b f4 e0 28 8d 52 62 7f b5 e7 9a 00 fc f7 db 9b 2e ad 73 82 4e 7e 83 03 63 c8 05 c2 96 f9 02 83 0f ac
fd b3 b2 82 02 fd 2e 48 97 23 d8 6c 35 9c 75 2f 0f 17
]]></artwork> ]]></artwork>
<t>The OSCORE Master Secret is derived with the updated PRK_exporter:</t > <t>The OSCORE Master Secret is derived with the updated PRK_exporter:</t >
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret = OSCORE Master Secret
= HKDF-Expand(PRK_exporter, info, oscore_key_length) = HKDF-Expand( PRK_exporter, info, oscore_key_length )
]]></artwork> ]]></artwork>
<t>where info and key_length are unchanged as in <xref target="oscore-pa ram"/>.</t> <t>where info and oscore_key_length are unchanged as in <xref target="os core-parameters"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes) OSCORE Master Secret after KeyUpdate (Raw Value) (16 bytes)
c9 1b 16 4c 81 0b 29 a6 3f cb 73 e5 1b c4 55 f3 49 f7 2f ac 02 b4 65 8b da 21 e2 da c6 6f c3 74
]]></artwork> ]]></artwork>
<t>The OSCORE Master Salt is derived with the updated PRK_exporter:</t> <t>The OSCORE Master Salt is derived with the updated PRK_exporter:</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt = HKDF-Expand(PRK_exporter, info, salt_length) OSCORE Master Salt
= HKDF-Expand( PRK_exporter, info, oscore_salt_length )
]]></artwork> ]]></artwork>
<t>where info and salt_length are unchanged as in <xref target="oscore-p aram"/>.</t> <t>where info and oscore_salt_length are unchanged as in <xref target="o score-parameters"/>.</t>
<artwork><![CDATA[ <artwork><![CDATA[
OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes) OSCORE Master Salt after KeyUpdate (Raw Value) (8 bytes)
73 ce 79 24 59 40 36 80 dd 8b 24 f2 aa 9b 01 1a
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="sec-trace-invalid"> <section anchor="sec-trace-invalid">
<name>Invalid Traces</name> <name>Invalid Traces</name>
<t>This section contains examples of invalid messages, which a compliant i mplementation will not compose and must or may reject according to <xref target= "I-D.ietf-lake-edhoc"/>, <xref target="RFC8949"/>, <xref target="RFC9053"/>, and <xref target="SP-800-56A"/>. This is just a small set of examples of different reasons a message might be invalid. The same types of invalidities applies to ot her fields and messages as well. Implementations should make sure to check for s imilar types of invalidities in all EHDOC fields and messages.</t> <t>This section contains examples of invalid messages, which a compliant i mplementation will not compose and must or may reject according to <xref target= "RFC9528"/>, <xref target="RFC8949"/>, <xref target="RFC9053"/>, and <xref targe t="SP-800-56A"/>. This is just a small set of examples of different reasons for which a message might be invalid. The same types of invalidities apply to other fields and messages as well. Implementations should make sure to check for simil ar types of invalidities in all EDHOC fields and messages.</t>
<section anchor="encoding-errors"> <section anchor="encoding-errors">
<name>Encoding Errors</name> <name>Encoding Errors</name>
<section anchor="surplus-array-encoding-of-message"> <section anchor="surplus-array-encoding-of-message">
<name>Surplus array encoding of message</name> <name>Surplus Array Encoding of a Message</name>
<t>Invalid encoding of message_1 as array. Correct encoding is a CBOR <t>message_1 is incorrectly encoded as a CBOR array. The correct encod
sequence according to Section 5.2.1 of <xref target="I-D.ietf-lake-edhoc"/>.</t> ing is a CBOR sequence according to <xref target="RFC9528" section="5.2.1" secti
onFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (38 bytes) Invalid message_1 (38 bytes)
84 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 84 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b
3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="surplus-bstr-encoding-of-connection-identifier"> <section anchor="surplus-bstr-encoding-of-connection-identifier">
<name>Surplus bstr encoding of connection identifier</name> <name>Surplus bstr Encoding of the Connection Identifier</name>
<t>Invalid encoding 41 0e of C_I = 0x0e. Correct encoding is 0e accord <t>The connection identifier C_I = 0x0e is incorrectly encoded as the
ing to Section 3.3.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> CBOR byte string 41 0e. The correct encoding is the integer 0e according to <xr
ef target="RFC9528" section="3.3.2" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (38 bytes) Invalid message_1 (38 bytes)
03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 3d
8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 41 0e 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 41 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="surplus-array-encoding-of-ciphersuite"> <section anchor="surplus-array-encoding-of-ciphersuite">
<name>Surplus array encoding of ciphersuite</name> <name>Surplus Array Encoding of the Ciphersuite</name>
<t>Invalid array encoding 81 02 of SUITES_I = 2. Correct encoding is 0 <t>The element SUITES_I = 2 is incorrectly encoded as the CBOR array 8
2 according to Section 5.2.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> 1 02. The correct encoding is the integer 02 according to <xref target="RFC9528"
section="5.2.2" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (38 bytes) Invalid message_1 (38 bytes)
03 81 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b 03 81 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 5b
3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="text-string-encoding-of-ephemeral-key"> <section anchor="text-string-encoding-of-ephemeral-key">
<name>Text string encoding of ephemeral key</name> <name>Text String Encoding of the Ephemeral Key</name>
<t>Invalid type of the third element (G_X). Correct encoding is a byte <t>The third element of message_1 (G_X) is incorrectly encoded as a te
string according to Section 5.2.1 of <xref target="I-D.ietf-lake-edhoc"/>.</t> xt string. The correct encoding is a byte string according to <xref target="RFC9
528" section="5.2.1" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 02 78 20 20 61 69 72 20 73 70 65 65 64 20 6F 66 20 61 20 75 6E 6C 03 02 78 20 20 61 69 72 20 73 70 65 65 64 20 6F 66 20 61 20 75 6E 6C
61 64 65 6E 20 73 77 61 6C 6C 6F 77 20 0e 61 64 65 6E 20 73 77 61 6C 6C 6F 77 20 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="wrong-number-of-cbor-sequence-elements"> <section anchor="wrong-number-of-cbor-sequence-elements">
<name>Wrong number of CBOR sequence elements</name> <name>Wrong Number of CBOR Sequence Elements</name>
<t>Invalid number of elements in the CBOR sequence. Correct number of <t>The CBOR sequence in message_2 has an incorrect number of elements.
elements is 1 according to Section 5.3.1 of <xref target="I-D.ietf-lake-edhoc"/> The correct number of elements in the CBOR sequence is 1 according to <xref tar
.</t> get="RFC9528" section="5.3.1" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_2 (46 bytes) Invalid message_2 (46 bytes)
58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93 58 20 41 97 01 d7 f0 0a 26 c2 dc 58 7a 36 dd 75 25 49 f3 37 63 c8 93
42 2c 8e a0 f9 55 a1 3a 4f f5 d5 4B 98 62 a1 1d e4 2a 95 d7 85 38 6a 42 2c 8e a0 f9 55 a1 3a 4f f5 d5 4B 98 62 a1 1d e4 2a 95 d7 85 38 6a
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="surplus-map-encoding-of-idcred-field"> <section anchor="surplus-map-encoding-of-idcred-field">
<name>Surplus map encoding of ID_CRED field</name> <name>Surplus Map Encoding of the ID_CRED Field</name>
<t>Invalid encoding a1 04 42 32 10 of ID_CRED_R in PLAINTEXT_2. Correc <t>The element ID_CRED_R in PLAINTEXT_2 is incorrectly encoded as the
t encoding is 42 32 10 according to Section 3.5.3.2 of <xref target="I-D.ietf-la map a1 04 42 32 10. The correct encoding is 42 32 10 according to <xref target="
ke-edhoc"/>.</t> RFC9528" section="3.5.3.2" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid PLAINTEXT_2 (15 bytes) Invalid PLAINTEXT_2 (15 bytes)
27 a1 04 42 32 10 48 fa 5e fa 2e bf 92 0b f3 27 a1 04 42 32 10 48 fa 5e fa 2e bf 92 0b f3
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="surplus-bstr-encoding-of-idcred-field"> <section anchor="surplus-bstr-encoding-of-idcred-field">
<name>Surplus bstr encoding of ID_CRED field</name> <name>Surplus bstr Encoding of the ID_CRED Field</name>
<t>Invalid encoding 41 32 of ID_CRED_R in PLAINTEXT_2. Correct encodin <t>The element ID_CRED_R in PLAINTEXT_2 is incorrectly encoded as the
g is 32 according to Section 3.5.3.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t byte string 41 32. The correct encoding is 32 according to <xref target="RFC9528
> " section="3.5.3.2" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid PLAINTEXT_2 (12 bytes) Invalid PLAINTEXT_2 (12 bytes)
27 41 32 48 fa 5e fa 2e bf 92 0b f3 27 41 32 48 fa 5e fa 2e bf 92 0b f3
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="crypto-related-errors"> <section anchor="crypto-related-errors">
<name>Crypto-related Errors</name> <name>Cryptography-Related Errors</name>
<section anchor="error-in-length-of-ephemeral-key"> <section anchor="error-in-length-of-ephemeral-key">
<name>Error in length of ephemeral key</name> <name>Error in the Length of the Ephemeral Key</name>
<t>Invalid length of the third element (G_X). Selected cipher suite is <t>The third element (G_X) has an invalid length. The selected cipher
cipher suite 24 with curve P-384 according to Sections 5.2.2, and 10.2 of <xref suite is cipher suite 24 with curve P-384 according to Sections <xref target="RF
target="I-D.ietf-lake-edhoc"/>. Correct length of x-coordinate is 48 bytes acco C9528" sectionFormat="bare" section="5.2.2"/> and <xref target="RFC9528" section
rding to Section 3.7 of <xref target="I-D.ietf-lake-edhoc"/> and Section 7.1.1 o Format="bare" section="10.2"/> of <xref target="RFC9528"/>. The correct length o
f <xref target="RFC9053"/>.</t> f the x-coordinate is 48 bytes according to <xref target="RFC9528" section="3.7"
sectionFormat="of" /> and <xref target="RFC9053" section="7.1.1" sectionFormat=
"of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (40 bytes) Invalid message_1 (40 bytes)
03 82 02 18 18 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b 03 82 02 18 18 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b
ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="error-in-elliptic-curve-representation"> <section anchor="error-in-elliptic-curve-representation">
<name>Error in elliptic curve representation</name> <name>Error in Elliptic Curve Representation</name>
<t>Invalid x-coordinate in G_X as x <contact fullname="≥"/> p. Require <t>The x-coordinate in G_X is invalid as x p. It is required that x
ment that x &lt; p according to Section 9.2 of <xref target="I-D.ietf-lake-edhoc &lt; p according to Section 5.6.2.3 of <xref target="SP-800-56A"/>, which is re
"/> and Section 5.6.2.3 of <xref target="SP-800-56A"/>.</t> ferenced in <xref target="RFC9528" section="9.2" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 02 58 20 ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 03 02 58 20 ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
00 ff ff ff ff ff ff ff ff ff ff ff ff 0e 00 ff ff ff ff ff ff ff ff ff ff ff ff 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="error-in-elliptic-curve-point"> <section anchor="error-in-elliptic-curve-point">
<name>Error in elliptic curve point</name> <name>Error in the Elliptic Curve Point</name>
<t>Invalid x-coordinate in (G_X) not corresponding to a point on the P <t>The x-coordinate in G_X is invalid as it does not correspond to a p
-256 curve. Requirement that y<sup>2</sup> <contact fullname="≡"/> x<sup>3</sup> oint on the P-256 curve. It is required that y<sup>2</sup> x<sup>3</sup> + a
+ a <contact fullname="⋅"/> x + b (mod p) according to Section 9.2 of <xref tar x + b (mod p) according to Section 5.6.2.3 of <xref target="SP-800-56A"/>, whic
get="I-D.ietf-lake-edhoc"/> and Section 5.6.2.3 of <xref target="SP-800-56A"/>.< h is referenced in <xref target="RFC9528" section="9.2" sectionFormat="of" />.</
/t> t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 02 58 20 a0 4e 73 60 1d f5 44 a7 0b a7 ea 1e 57 03 0f 7d 4b 4e b7 03 02 58 20 a0 4e 73 60 1d f5 44 a7 0b a7 ea 1e 57 03 0f 7d 4b 4e b7
f6 73 92 4e 58 d5 4c a7 7a 5e 7d 4d 4a 0e f6 73 92 4e 58 d5 4c a7 7a 5e 7d 4d 4a 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="curve-point-of-low-order"> <section anchor="curve-point-of-low-order">
<name>Curve point of low order</name> <name>Curve Point of the Low Order</name>
<t>Curve25519 point of low order which fails the check for all-zero ou <t>The Curve25519 point is invalid as it is of low order and fails the
tput according to Section 9.2 of <xref target="I-D.ietf-lake-edhoc"/>.</t> check for all-zero output according to <xref target="RFC9528" section="9.2" sec
tionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (37 bytes) Invalid message_1 (37 bytes)
03 00 58 20 ed ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 00 58 20 ed ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff 7f 0e ff ff ff ff ff ff ff ff ff ff ff ff 7f 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="error-in-length-of-mac"> <section anchor="error-in-length-of-mac">
<name>Error in length of MAC</name> <name>Error in the Length of the MAC</name>
<t>Invalid length of third element (Signature_or_MAC_2). The length of <t>The third element (Signature_or_MAC_2) has an invalid length. The l
Signature_or_MAC_2 is given by the cipher suite and the MAC length is at least ength of Signature_or_MAC_2 is given by the cipher suite, and the MAC length is
8 bytes according to Section 9.3 of <xref target="I-D.ietf-lake-edhoc"/>.</t> at least 8 bytes according to <xref target="RFC9528" section="9.3" sectionFormat
="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid PLAINTEXT_2 (7 bytes) Invalid PLAINTEXT_2 (7 bytes)
27 32 44 fa 5e fa 2e 27 32 44 fa 5e fa 2e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="error-in-elliptic-curve-encoding"> <section anchor="error-in-elliptic-curve-encoding">
<name>Error in elliptic curve encoding</name> <name>Error in the Elliptic Curve Encoding</name>
<t>Invalid encoding of third element (G_X). Correct encoding is with l <t>The third element (G_X) is incorrectly encoded. The correct encodin
eading zeros according to Section 3.7 of <xref target="I-D.ietf-lake-edhoc"/> an g is with leading-zero octets according to <xref target="RFC9053" section="7.1.1
d Section 7.1.1 of <xref target="RFC9053"/>.</t> " sectionFormat="of" />, which is referenced in <xref target="RFC9528" section="
3.7" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (36 bytes) Invalid message_1 (36 bytes)
03 02 58 1f d9 69 77 25 d2 3a 68 8b 12 d1 c7 e0 10 8a 08 c9 f7 1a 85 03 02 58 1f d9 69 77 25 d2 3a 68 8b 12 d1 c7 e0 10 8a 08 c9 f7 1a 85
a0 9c 20 81 49 76 ab 21 12 22 48 fc 0e a0 9c 20 81 49 76 ab 21 12 22 48 fc 0e
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
<section anchor="non-deterministic-cbor"> <section anchor="non-deterministic-cbor">
<name>Non-deterministic CBOR</name> <name>Non-deterministic CBOR</name>
<section anchor="unnecessary-long-encoding"> <section anchor="unnecessary-long-encoding">
<name>Unnecessary long encoding</name> <name>Unnecessary Long Encoding</name>
<t>Invalid 16-bit encoding 19 00 03 of METHOD = 3. Correct is the dete <t>The element METHOD = 3 is incorrectly encoded as a 16-bit integer.
rministic encoding 03 according to Section 3.1 of <xref target="I-D.ietf-lake-ed The deterministic encoding 03 is correct according to <xref target="RFC9528" sec
hoc"/> and Section 4.2.1 of <xref target="RFC8949"/>, which states that the argu tion="3.1" sectionFormat="of" /> and <xref target="RFC8949" section="4.2.1" sect
ments for integers, lengths in major types 2 through 5, and tags are required to ionFormat="of" />, which states that the arguments for integers, lengths in majo
be as short as possible.</t> r types 2 through 5, and tags are required to be as short as possible.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (39 bytes) Invalid message_1 (39 bytes)
19 00 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea 19 00 03 02 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b ea
5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork> ]]></artwork>
</section> </section>
<section anchor="indefinite-length-array-encoding"> <section anchor="indefinite-length-array-encoding">
<name>Indefinite-length array encoding</name> <name>Indefinite-Length Array Encoding</name>
<t>Invalid indefinite-length array encoding 9F 06 02 FF of SUITES_I = <t>The element SUITES_I = [6, 2] is incorrectly encoded as an indefini
[6, 2]. Correct encoding is 82 06 02 according to Section 5.2.2 of <xref target= te-length array. The correct encoding is the definite-length array 82 06 02 acco
"I-D.ietf-lake-edhoc"/>.</t> rding to <xref target="RFC8949" section="4.2.1" sectionFormat="of"/>, which is r
eferenced in <xref target="RFC9528" section="3.1" sectionFormat="of" />.</t>
<artwork><![CDATA[ <artwork><![CDATA[
Invalid message_1 (40 bytes) Invalid message_1 (40 bytes)
03 9F 06 02 FF 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b 03 9F 06 02 FF 58 20 74 1a 13 d7 ba 04 8f bb 61 5e 94 38 6a a3 b6 1b
ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e ea 5b 3d 8f 65 f3 26 20 b7 49 be e8 d2 78 ef a9 0e
]]></artwork> ]]></artwork>
</section> </section>
</section> </section>
</section> </section>
<section anchor="security"> <section anchor="security">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>This document contains examples of EDHOC <xref target="I-D.ietf-lake-ed hoc"/> whose security considerations apply. The keys printed in these examples c annot be considered secret and MUST NOT be used.</t> <t>This document contains examples of EDHOC <xref target="RFC9528"/>. The security considerations described in <xref target="RFC9528"/> apply. The keys pr inted in these examples cannot be considered secret and <bcp14>MUST NOT</bcp14> be used.</t>
</section> </section>
<section anchor="iana"> <section anchor="iana">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>There are no IANA considerations.</t> <t>This document has no IANA actions.</t>
</section> </section>
</middle> </middle>
<back> <back>
<references> <references>
<name>References</name> <name>References</name>
<references> <references anchor="sec-normative-references">
<name>Normative References</name> <name>Normative References</name>
<reference anchor="I-D.ietf-lake-edhoc">
<front>
<title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<author fullname="Göran Selander" initials="G." surname="Selander">
<organization>Ericsson AB</organization>
</author>
<author fullname="John Preuß Mattsson" initials="J. P." surname="Mat
tsson">
<organization>Ericsson AB</organization>
</author>
<author fullname="Francesca Palombini" initials="F." surname="Palomb
ini">
<organization>Ericsson AB</organization>
</author>
<date day="25" month="August" year="2023"/>
<abstract>
<t> This document specifies Ephemeral Diffie-Hellman Over COSE (
EDHOC), a
very compact and lightweight authenticated Diffie-Hellman key
exchange with ephemeral keys. EDHOC provides mutual authentication,
forward secrecy, and identity protection. EDHOC is intended for
usage in constrained scenarios and a main use case is to establish an
OSCORE security context. By reusing COSE for cryptography, CBOR for
encoding, and CoAP for transport, the additional code size can be
kept very low.
</t> <reference anchor='RFC9528'>
</abstract> <front>
</front> <title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-lake-edhoc-22"/> <author initials='G' surname='Selander' fullname='Göran Selander'>
</reference> <organization />
<reference anchor="RFC2119"> </author>
<front> <author initials='J' surname='Preuß Mattsson' fullname='John Preuß Mattsson'>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <organization />
le> </author>
<author fullname="S. Bradner" initials="S." surname="Bradner"/> <author initials='F' surname='Palombini' fullname='Francesca Palombini'>
<date month="March" year="1997"/> <organization />
<abstract> </author>
<t>In many standards track documents several words are used to sig <date year='2024' month='March'/>
nify the requirements in the specification. These words are often capitalized. T </front>
his document defines these words as they should be interpreted in IETF documents <seriesInfo name="RFC" value="9528"/>
. This document specifies an Internet Best Current Practices for the Internet Co <seriesInfo name="DOI" value="10.17487/RFC9528"/>
mmunity, and requests discussion and suggestions for improvements.</t> </reference>
</abstract>
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"
<seriesInfo name="BCP" value="14"/> />
<seriesInfo name="RFC" value="2119"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"
<seriesInfo name="DOI" value="10.17487/RFC2119"/> />
</reference>
<reference anchor="RFC8174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
</references> </references>
<references> <references anchor="sec-informative-references">
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC7252">
<front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"
<title>The Constrained Application Protocol (CoAP)</title> />
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml"
<author fullname="K. Hartke" initials="K." surname="Hartke"/> />
<author fullname="C. Bormann" initials="C." surname="Bormann"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"
<date month="June" year="2014"/> />
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"
<t>The Constrained Application Protocol (CoAP) is a specialized we />
b transfer protocol for use with constrained nodes and constrained (e.g., low-po <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9053.xml"
wer, lossy) networks. The nodes often have 8-bit microcontrollers with small amo />
unts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wire
less Personal Area Networks (6LoWPANs) often have high packet error rates and a
typical throughput of 10s of kbit/s. The protocol is designed for machine- to-ma
chine (M2M) applications such as smart energy and building automation.</t>
<t>CoAP provides a request/response interaction model between appl
ication endpoints, supports built-in discovery of services and resources, and in
cludes key concepts of the Web such as URIs and Internet media types. CoAP is de
signed to easily interface with HTTP for integration with the Web while meeting
specialized requirements such as multicast support, very low overhead, and simpl
icity for constrained environments.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7252"/>
<seriesInfo name="DOI" value="10.17487/RFC7252"/>
</reference>
<reference anchor="RFC7748">
<front>
<title>Elliptic Curves for Security</title>
<author fullname="A. Langley" initials="A." surname="Langley"/>
<author fullname="M. Hamburg" initials="M." surname="Hamburg"/>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<date month="January" year="2016"/>
<abstract>
<t>This memo specifies two elliptic curves over prime fields that
offer a high level of practical security in cryptographic applications, includin
g Transport Layer Security (TLS). These curves are intended to operate at the ~1
28-bit and ~224-bit security level, respectively, and are generated deterministi
cally based on a list of required properties.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7748"/>
<seriesInfo name="DOI" value="10.17487/RFC7748"/>
</reference>
<reference anchor="RFC8032">
<front>
<title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
<date month="January" year="2017"/>
<abstract>
<t>This document describes elliptic curve signature scheme Edwards
-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with r
ecommended parameters for the edwards25519 and edwards448 curves. An example imp
lementation and test vectors are provided.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8032"/>
<seriesInfo name="DOI" value="10.17487/RFC8032"/>
</reference>
<reference anchor="RFC8392">
<front>
<title>CBOR Web Token (CWT)</title>
<author fullname="M. Jones" initials="M." surname="Jones"/>
<author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/
>
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/
>
<date month="May" year="2018"/>
<abstract>
<t>CBOR Web Token (CWT) is a compact means of representing claims
to be transferred between two parties. The claims in a CWT are encoded in the Co
ncise Binary Object Representation (CBOR), and CBOR Object Signing and Encryptio
n (COSE) is used for added application-layer security protection. A claim is a p
iece of information asserted about a subject and is represented as a name/value
pair consisting of a claim name and a claim value. CWT is derived from JSON Web
Token (JWT) but uses CBOR rather than JSON.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8392"/>
<seriesInfo name="DOI" value="10.17487/RFC8392"/>
</reference>
<reference anchor="RFC8949">
<front>
<title>Concise Binary Object Representation (CBOR)</title>
<author fullname="C. Bormann" initials="C." surname="Bormann"/>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<date month="December" year="2020"/>
<abstract>
<t>The Concise Binary Object Representation (CBOR) is a data forma
t whose design goals include the possibility of extremely small code size, fairl
y small message size, and extensibility without the need for version negotiation
. These design goals make it different from earlier binary serializations such a
s ASN.1 and MessagePack.</t>
<t>This document obsoletes RFC 7049, providing editorial improveme
nts, new details, and errata fixes while keeping full compatibility with the int
erchange format of RFC 7049. It does not create a new version of the format.</t>
</abstract>
</front>
<seriesInfo name="STD" value="94"/>
<seriesInfo name="RFC" value="8949"/>
<seriesInfo name="DOI" value="10.17487/RFC8949"/>
</reference>
<reference anchor="RFC9053">
<front>
<title>CBOR Object Signing and Encryption (COSE): Initial Algorithms
</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<date month="August" year="2022"/>
<abstract>
<t>Concise Binary Object Representation (CBOR) is a data format de
signed for small code size and small message size. There is a need to be able to
define basic security services for this data format. This document defines a se
t of algorithms that can be used with the CBOR Object Signing and Encryption (CO
SE) protocol (RFC 9052).</t>
<t>This document, along with RFC 9052, obsoletes RFC 8152.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9053"/>
<seriesInfo name="DOI" value="10.17487/RFC9053"/>
</reference>
<reference anchor="CborMe" target="https://cbor.me/"> <reference anchor="CborMe" target="https://cbor.me/">
<front> <front>
<title>CBOR playground</title> <title>CBOR playground</title>
<author initials="C." surname="Bormann"> <author initials="C." surname="Bormann">
<organization/> <organization/>
</author> </author>
<date year="2023" month="August"/>
</front> </front>
</reference> </reference>
<reference anchor="SP-800-56A" target="https://doi.org/10.6028/NIST.SP.8
00-56Ar3"> <reference anchor="SP-800-56A">
<front> <front>
<title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title> <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title>
<author initials="E." surname="Barker"> <author initials="E." surname="Barker">
<organization/> <organization/>
</author> </author>
<author initials="L." surname="Chen"> <author initials="L." surname="Chen">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Roginsky"> <author initials="A." surname="Roginsky">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Vassilev"> <author initials="A." surname="Vassilev">
<organization/> <organization/>
</author> </author>
<author initials="R." surname="Davis"> <author initials="R." surname="Davis">
<organization/> <organization/>
</author> </author>
<date year="2018" month="April"/> <date year="2018" month="April"/>
</front> </front>
<seriesInfo name="NIST" value="Special Publication 800-56A Revision 3" /> <seriesInfo name="NIST" value="Special Publication 800-56A Revision 3" />
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar3"/>
</reference> </reference>
<reference anchor="SP-800-186" target="https://doi.org/10.6028/NIST.SP.8
00-186"> <reference anchor="SP-800-186">
<front> <front>
<title>Recommendations for Discrete Logarithm-based Cryptography: El liptic Curve Domain Parameters</title> <title>Recommendations for Discrete Logarithm-based Cryptography: El liptic Curve Domain Parameters</title>
<author initials="L." surname="Chen"> <author initials="L." surname="Chen">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Moody"> <author initials="D." surname="Moody">
<organization/> <organization/>
</author> </author>
<author initials="K." surname="Randall"> <author initials="K." surname="Randall">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Regenscheid"> <author initials="A." surname="Regenscheid">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Robinson"> <author initials="A." surname="Robinson">
<organization/> <organization/>
</author> </author>
<date year="2023" month="February"/> <date year="2023" month="February"/>
</front> </front>
<seriesInfo name="NIST" value="Special Publication 800-186"/> <seriesInfo name="NIST" value="Special Publication 800-186"/>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-186"/>
</reference> </reference>
</references> </references>
</references> </references>
<?line 3026?>
<section numbered="false" anchor="acknowledgments"> <section numbered="false" anchor="acknowledgments">
<name>Acknowledgments</name> <name>Acknowledgments</name>
<t>The authors want to thank all people verifying EDHOC test vectors and/o <t>The authors want to thank all people verifying EDHOC test vectors and/o
r contributing to the interoperability testing including: <contact fullname="Chr r contributing to the interoperability testing, including: <contact fullname="Ch
istian Amsüss"/>, <contact fullname="Timothy Claeys"/>, <contact fullname="Stefa ristian Amsüss"/>, <contact fullname="Timothy Claeys"/>, <contact fullname="Rika
n Hristozov"/>, <contact fullname="Rikard Höglund"/>, <contact fullname="Christo rd Höglund"/>, <contact fullname="Stefan Hristozov"/>, <contact fullname="Christ
s Koulamas"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Lid os Koulamas"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Li
ia Pocero"/>, <contact fullname="Peter van der Stok"/>, and <contact fullname="M dia Pocero"/>, <contact fullname="Peter van der Stok"/>, and <contact fullname="
ichel Veillette"/>.</t> Michel Veillette"/>.</t>
</section> </section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA9293XLcSLImeB9PEau6EDXLpIDAP62rz6FIqsRRqUpLqrqr
rKdNFgACYraSmdxEUhKPTHu3trY2Ns8wMxf7CnO1V3tmX2SfZN098I8A8k9U
1ZlqNpVEAoH48Z/PPdw9JpMJ+3DMHcZW09VMHfM3S5monC8yfn724udTli6S
ubyBL9KlzFaTqVplk5l8ryYrunFihUzG8VJ9OGZsers85qvlXb4SlhVZgsml
ksf8SiV3y+nqnn18d8x/PHl5zv+6WL6fzt/xH5aLu1v2/uMxv5iv1HKuVpMz
fA1L5OqYT+fZguV38c00z6eL+er+Frpxcf7mOWPJIoXnj/kd9CZkt9Nj/h1P
5Jzf5YrL5VLe84NpxuVsxu9V/oQvlvxa5tf8Wi0V43y1SI7xC/iYL5arpcry
6u/7m+afcGeqblfXx1wwJu9W14vlMZtwPSM//Ot/W8I7r9RMzlO1xKfvlvqr
xrXFEvp5vpwmeb6Yw9/J4m6+Wt7DPR9VqvCKupHT2TF/t4DWjvLiyX9WxSNH
yeKmeuW/X1zP+euluvvX/8xfydWqaHM6n66mcgbd/vfNXvRv3Lgz/4AXHd0U
D5r78gpW9z2MFBZs2u7Eq/ZUlDfQy0+urk74ybMff/6t+frXCxx1/fobbBvm
gh79Z5nnUsazxX33/cmCv5nOFokcfn31Pb398uLqfGzYN9jm0Yqe+eflFHrQ
eN1s+v/+V8n/cvff/xO867//H7130hsu5supbL7iOaxqopqvmE1zefThLoGn
k3+e4v1H2ZKx+WIJEz79oICTOL+YnB3VzKbSa6BZ4DBgieZdl89PA+GJ4+Jj
4IbFx9ByyquhE1UfIzcqPkaW51ATp/Fi+UrhVSB3uXyngPOuV6vb/Pjp0wS+
O7pRT/WXWkCcPvv5kt/O5P07YF5aM85LzuD036T4F+cHpub0iD/DTs/ndD2V
K2jl5O4dF5ZwsAdXryehZU08/8Tci3QxPYK5fWpbR74lwqc/XVy9Obp6fVQ8
tHSa3btUQCM3ag6vAZnBYbr4azldTv46BdHwUt1PzvMV0NI0v4abVvwquVY3
IO9+yVEenU3zZKlWiv+4eCdBZF3f8NPl/e1q8W4pb6/v6T1AlFOV40KU432E
HXp0zB9d3aoEyIG/voMXJLoDRSehXx+mKMW482j9lJ3DlMnle5Ifhq9/POKn
12pu/vLkiF8u3sHH9/eDN/wFOGo6Ux/MN1we8TMJvW0u1+1yOoMFs8PGgtmh
v/2CwUPN5XrUXq+cFqy/DJNY5iptLQbM0mw2vV1NE356t/yg+NkCGAyko1wC
v4I2yR/tul7Qxw0WaXQVzo74q8UiHViCl7BGIO9APw2voXqn5jlQ5zQdWecY
Pi6afPVcxcs7ubwvmGsymXAZ56irV4y9uZ7mHBT6HZF+AioVJiwHHXijuPok
b25niq9q/X+LrLGE+TmbZtlUTV6o2QzYmP/8QS356c9X5/yAMMKTI/2im2ma
zhRj36E2Xy7SuwRnlDG6iX/+bBBpX75w6JLks+m769VHhb9p0qF/uCCw5O/V
PfQtuZbzd4rfLhegkRcznsKKvpvD10gu1/DY7B7HgwOd4uVcrVbA0PkRHxgz
SKPFil6wagMeeJTQRn7IPwLlwVzf3q0O+eJuRf/CqsEloK4blU7heexSgk+A
9Fiq/G62ygE08HwKkznN7vlK5dgRbB4vKeyFpnTsWjXd1xIIOFZqzmFupzDZ
KY/h4Y8LeBkAEGAP7H23BZjq70C/rgBDFZMMY13ezaElmExoDBbrglTUCqbp
4OIJdV8CbeW3CwQZ/ODyie4H8PcHGM7TW2IFmvVbEJs5PQHMiO9HTYcDgeVp
NIs34JW60aX6X++mS5zaBU4P0IGiO6rVA4Gby3cwbNDyPL9efJzDMOmWYjo+
AgHwuYK36hXGrxI5S+5m1cj1eOuWuutSLga+Qs0BLyq8QWuvz58LXQjkR+OT
9HYAfoslLgNPpzlquMYj0Oi7+SJHaUOEg6LiDlf9kKujd0eH1MWOaoT3aOX6
5QsQ0/U0uQbl/x46C/fecCXze5ohuQTNRHR8B9wFdHHamG7sGvy7wF51hqHf
rF/6VxXzN4v3IDH4welf3zwphgia/8uXI2R8ZeABJC894QAE/h08kqtEw/qJ
DTMzASVdcSKOl/gB+U6u7mCegEZyPqWeVgQL7yGg/UHO7lRJK78eeVbEE7XE
G5GroZNACx+mxWA+f8bv8i9fCloEar9dwGLmBOfP0zNAjHo8AGqgYzhXst01
XMVfhefZkb4TkVBxpyrF2EQNCbSmjDnqToUYngqkg8TQWHdagMSXK3pLdR04
ayZjeASFA6wYP53J6Q0yM67g6VXeXkLDvKAS468nwvPhzlojF6OOF9BB09Bx
pnTHN5wPLUFpLjQlTmezOxS0K03JPJlCO0tA3FNgu7l6t0DBAJOkhWWx0Mih
lY4BupgtPtbyYAFC71rJtBC5FVPn03/RkvnAiQ656x1yO3oCEwpvRgmgW6Mb
pnOguGnKu1JhiZx1Ny/IrF7U4n5ijp9+fnPObT3FOUAHwvsoSe/yUsFAx1OA
CgDd6e0wgUvULqXsmy41FxKDlmqnEmYFv+klwQlbyo/GZuDO5VJLUaKKqkno
Bmh3yWGCb/Kyx+KIX2QojHgyU3LJs+XipmgF5OAn0FVLWN2bWKH4lCvdXA6i
GZosBCZdInMZ/s5zEA9DL4WvudK6p+qAc8T/inK6JdphzHMYwZKUXmc10gX8
wg5P5yhs5ytQ2gV56KHPCmZOlos8J+u9fPYQEMJ76N3i5HXB4GD1oFhFrtQA
pnrN6v4W2HQGjePy3y61+kw1bcHkzBXhkhYvEqUuVlrq4pNlc29t1MDI9qhB
c6WQ2XQDOcyAe2TTsydHAsnQiHBIqi2AY4lwqVN6EpLZXSEBG6qP/mpAFpht
1PJvQLNN54vZ4t09vfBS61haEP4jMOoddJZ//g414Bct8JGLPy6Wac4fvfoF
AO+h/pfD4uHny/P/5ZeLy/Mz/Hz14uTHH6sPrLjj6sXPv/x4Vn+qnzz9+dWr
85/O9MNwlbcusUevTn57pNn/0c+v31z8/NPJj496I6OZWJFmI819i5Af4EnO
QFwky2ms5+bZ6ev/57/YLsz7/wTrLmwbtbb+I7QDF/5AtKDftpjD2uk/YUrv
mby9RdaYzomYEnk7XYEIO0Rq1rAD6fCI/emfQAwrPvH/6c8Mp9so7a9KxQfP
a4122tRoFy2J//iTt3rMv4MFaepUxi6KOajQdgtKlQithc9omtqYmPqTTt/h
aGqFDIrj1fmbFz+f8e+59QSN7kLejGG1/O4WubUtxK0SrqRoRwHdFZJezt4t
yBzTgEGz98n5yVn9Dbz75Pxqcnr6amL7E9+d2CKsbiVo0LwVyA0VWHXDq5NT
PlPzd4S7C345uCrU7Isn8ETdWMswqBs9OD89e8ETtAjxfg0Kqodq9NLsBkEM
uOfk9rayAzcaVvOBwcERM9a4WksAkEqwYrCk5XIaQFIfW5HRhZoSluq2tHM1
sWljoJJajNHy15BhgIryBlVPjxQA2ZqGYJH/t+I/Vlw9IP1whnrhAvTCE35g
0zI9YZZV3/z5GF4H6HL5fgJa9t38+0czla0eFXKpJsccVEoCfWsT3xE/4Yis
Zx1ogWxTKCZJcALG1ezi1S8Xb86v3l5s2MlOX8DGoUlHmFLhotIMIhSAoIvm
DFdijAabnape8DhvtFtYW/g8+xWYHADBXxAxQ1cdoen+CQsjLmAKBA8V9xIe
+9z3eWRzK+RuwC2POxH3LG7FPLC4p7hv8dTCb1MHb0g8HtosANgY8czh0G6Q
8FDyMOBxzC2nMRPrelvRLvvh7WB3HZtnIRcJD2LuxTxK8DWZxTObRy5PI247
PEm4LbjKuO1hh6CjIsQ/4bMPnyVzQ+g0lzZPLByVrbhweJBxy607uWVve8Tg
uGWXPeivxffrOKOO8006PkT+01VuxiX8FKhZa0ikuQZm5NYnkZZSGpgFsPl0
RdZ/Q64UQsOe0IM0D8AyfALKtM1L2FiTaE+NnUkQxKBUrofAsIMteig5TaSG
Bduy3UE2bjbOfloAC+LmERo35K+b/ouWyAhfm8MCiQ5wTjd7VQBhaNUqyWFQ
NJBj6Q6XqpKv5DrnDZT4Pf19oH101mH73+vHjp2FIgliL46SOM6szI7cNLKd
JLGFymzPEakjQpU5wneEdMPS1xfa0k6swLKVcILMch8XLcIi0ocnjfHVnemN
0QnKQVogIkBc7EX5rMGyI5TPW+vU0E5Cz3APhWiUcbPIVwjbM7VEJxIZrMQp
8EcXpoA5Wol9dCQmibpF97466r7igeR79YJB+f7bkMBUPs44TFYW4zLYMU9c
7ng49cLlrs9DmkcFKwSrl+GC+SDBM5xrS6L0T2MGgt51eQQaQuIygGwTNlfw
Exr4b6CzTYE52NsUXg2qBSjA4zasisdhOfyAZwl21fax5z4MIQSYzQMXKSYi
X1oYcyfkoId8wRzoto8aS7o8BL6LeCx4lHI72bm3a8X7fh1n1HG+Scd7RL2B
eL8cFO92aBLvaDg2RTwCoZ6Abwv368d2+Bjh3CfXtsNtxHw1FIYdNYp520Rm
W7bbW8GK5lybN1/ACqfKHK3D25VG3G9evBU44tI9DIMmv2yDi9vIHGaAnvme
vzjgQEKH8G8lOZ+0BGrriwG+SGzuezz1uYyIIGIko0yCKOJhSmwbI4WBoPQz
HqQ8AFnpICW5DrI/POK7DBFbxKVATgF5ajmI+VJoOTahtHa31jLAfj1k1EO+
UQ9xfWi/BKm6WpBqiSoXeemFgqXoLUALjZqb6mk3P/ymLM83mFe22cpvNq/V
Jz38AUL0uWuhoQCK2oU++jgysBhkjHOQCWzb1xYDaAsXf0eg1YFYUhxrEHFf
MsvnnsBxgHICZROByoG+hDigwe6sJ8C9esaoZ3yjnrHXly/fCjIVc9zbJduZ
XL+Fz467Rzb+b9BZB7jh+XSZr/SGDvkS8mu5pC1F3JMGifHrbyRvFjdAnegg
Rr8rWhoIVICYAUmgYqIdiaa0pQdba9dvvY0PPJ6kaLoBfYU+fgbKApgWEEZz
yRZUcLeFhh2YfSrgdsY9IK4IGRuAQugyoEH41sl4DLQWImhIMmxBdOTq/JDX
c9eTpSRH355/on3kgye1X6gyMgYkLULUot3vO63wXM5gmmlanhTwufgPRPOr
k9NJ4UBp38nYR3Ta0TXsK9Jgc5rp+h+HRYrBD4EqsNFdXFa4xYP1TRHGBQEK
ADfGpVQxLit8C5Acbk5BuoRIDFaKSxkBQHRI0iQIGS0SP7C4cA+g71Q2OnRF
IKL27Rx2/IBN11BerHrtGzri+nl8xozFYSWKNocdbXAPedq62Pxx3t5V1JC8
oDx8YAhwlzC7sxmI2PDqZReyNBiL1tTKeBahLQQMJNEhglwFNgyyTlDYQiks
vYMmjQzwt68Qx8KCZBlLYvwMJOF5uGIBaAsHgXoUrYGyBYA19Pn1SJ8B86cx
unVAD3k2Uk0INCyRUkDBWEDSEpWNqziAppCUkHKQaKWFhA2UD/A7IW8RXEw8
JDcVcZEhEXmNPhPFOkrcrBWiwzseRyW9jdFYx/3Iq/d+X0iMow4b0Ze/OyN1
zcraN0BbexjkN0fC1TioiGFoYRgQbSSy6N9KLL48e35QzcEhF4flPt5b+Hgj
k7faLw5PPMHw1+IrePxPf+IXZ29PL8/P3l4ekjg85OVf/8TR5yH4n//MmL6G
q9r2KwM8cSfxVMPpQmRXDRZy+XMhnUGzH/O/TWzvEMyKIMqEdO3Ys63EzqL4
8d/pri+lhO46rHVMADRxQA7rJ+XGGhrlWnMAPYF5XnvCtSP8kJXbFtRaLU+g
H402qtiD+oZCgWBI8lz7vGEhAHTBaPMmddXDNfic3AYL2oBnBA8FEhKgNeB+
4C3Ah4D9gCmRC4GfmsitnnSpoW/TyCvCI87O653jwZAJzYC4OzyBq1++tOy4
ou9N1hCuXTlmLfQMKJh6q/DUgEwAcWeBvrPpt0AqR8hrIw5GL4SF/mXQdHAb
IAjfY4GFF0FLwj0wWvwcFTeAAITHsUFyFbkeeiRgdtwMkS7gP1CXgID9jIG2
hT/hBlgD4F2QV/hjIwc65DmyA2JIQT8WSlT81qfPIV10GV70kb3rmyO6TZT3
6w9W/QM3w29BA0S3l8XgXYbOBwOdBwnvoG8LR6Gw83hFsJGxCNmfQ2wBP9uo
dEp5zvaQ57yU56wnzwff7tLb4wD9TnGCBKAkasBIsJDsH7wZUA2YTwqXOElw
5uFmUIWo/lIESLiFYOGoQR8BzFQJiksQrK7HnIAIjDQsPAsNov8qwg7DS6FX
ML22hYwEd4JQhiFDNyKXRx5ZUyH3UwaaA+YEgKpUOP+gnYHlwNxC3AWaWpiA
1iADC1jH2hyBXu7HD6yazT34gRE/8P34gRE/8P34gQmreNce/MCIH8bGsgE/
sL3xDfADG8A3W/EDI37g+/EDI37g+/EDI37gW/DDdrshBl+KYTdkF7RRPV0/
3HuViOytdSsfdimwLS05o0uBkSXH95MUrENnO0kK1tCcO0sK1tCcO0sK1tCc
O0sK1tCcO0sK1tCcO0sK1tCcO0sK1tCcO0sK1tCcO0sK1tCc20iKYRZtYFTi
0tqdFyHdw5D2YFe2q+Olya6s7XjZjV2ZCehuy67MBHS3ZVdmArrbsiszAd1t
2ZWZgO627MpMQHdbdmUmoLstuzIT0N2WXZkJ6G7LrswEdLdiV+0uaHqeV9fL
xd2768qvegt28sGTNdtfh7wVxEq+nGFPTsNN8eLl2fNJ8ZLaT4F5VW3/xBPc
t8Q8W0pWhAcP1jgz+q7J1h0w4nfTD3rncGhQR8XLcBu/nKfClaE70QzOEFVQ
hrTtUAj4UW7Y9WZ4obAS37W8xPbcxPMD1/dLH7WM7TQTluNHnmUpz7VUlNlu
nDoyiHxp+Z5IpPL9JLJ82w/DMoELxFRmO1ZoK4W/pS0ty7GEZcP/heX6wrEj
lbiOZXmWbzkiLp/zvQButFPHtmP4N8JvPc9y4WJiC9dzXTd0M9cRlif8DHRt
8VzgQrOeD184HvzPdiJ4WtmBlcIV4ViOA9d8+DeEv1zHKZ9zfE8Wd0Vwh6D7
8Lel/+dJ6Db0VmCvlFXNS6NXQadXXuAEFvRN+S58Frpf1fsa/ROyHj+OG/61
LUvaaewGceTZoRt65XOuTG0h4W3S8Vzl2qGUiXIcKa1MJL4vEsuKHZl4Xqoi
kUXV+Lyo+w4X3hEHwokTGJCMrUiEKozh2yQKU1U+Z0dJ4oTCSV1fBakfhUEM
TbhBmKkkk0ACnhPAqsKHJAljVQXxiCjx48CxXHiNHTqBil0ZJ5Ebeb6Xhn6a
KM+GBpQnZByKxK76KZLYEmXIjyPKiJ/avzaT+apwrBUbrDpRjVInSmeSMfi2
jK9t+sE6PGQA7HUYkeB7owG2xzZMhQZYbxtmBzTABtxeW6EBNuD22goNsAG3
11ZogA24vbZCA2zA7bUVGmADbq+t0AAbcHtthQbYgNtrKzTABtxeW6EBNuD2
WosGiMssk/Or4NeBwFyKMwNmhDUSCUaVYTSEg5ELMNspNesK5DLpYJQEzp6F
SxOEuFUC/QSKciMMUwsTnGS4GaklxvBAxxhH3JQfo6G3e3WNUdf4Rl0zwYwq
o+PtYvm2glcoMR9X+1KPSyGKew9v8QmbL+J/AHjqRxi2t4KKkJYiwEunKxeY
5G/8UfVu+9Fhy6nC//znQt7D1SH/ymEhof8OyEa3qB9pNbsJynlc3WXCO2M4
p8ImBrwzhnMqrGDAO2M4p9LBBrwzhnMaGKOHd8ZwTvWcAe+M4ZwKexnwzhjO
qTFUH++M4ZzyORPeGcM51fsMeGcM55TPmfDOGM4pnzPhnTbOuX4MBJdI14lE
Ejoq9Z3Ut2UqYCqEpaTjw8RaVgjdSb04gbdVtJjFYeJFroAViW1Yxsf0xd+b
gsnAlNwsqSrfJIgbwBseYRKQQagKbdTpAWlDn9QfKKxRFMRaKIiAE4CfLcOj
2Ja+TCMcYnvsAlZwiO2xC1jBIbbHLmAFh9geu4AVHGJ77AJWcIjtsQtYwSG2
xy5gBYfYHruAFRxie+wCVnCI7bELWMEhNgSHtsEQbBTebIYhOuHdIDzyhrNl
OBiJYzBSM1Gtjzta0M13GwHQiuL8RICRf9Bpi5IDhIfUDLMAawA3AKGnAa59
KjHKFAwnkWJMKdBKKpmX4VQqYmm4kgWYKRYQfQMp6xbgAxAciA9YNh33BHOh
LPoKZF9KvBpiTzx6EClMYtKZFyBHIVcQ13kk8mIbY6MsZYiEMo29J3xB+NUw
EWTjftPAaBr4ftPAaBr4ntMwAhlf/3hy8dOb81/fUGwQ6q3GlbYD6xTAoP5U
o8anHKv8wD8T4R4dCae4oT/dxRcFluzlEDVf2rP/w3Zk/naGf28d2U7k3FlH
thM5d9aRbb2OdaS7KcLr5flvV28uz09eaYsiVRmFyvZi6Ib9roedwNvCtdtJ
TzKG2zZf3gsuE+oQLR9tV9zO5FR7ZYuc604YLv3XdvxWjWi/b7+F0jnV+6aw
rLrZ3TABTZIrr5eFlgp/VHtCBz27dbrdNpYMWjANj1vLkikxabiR7218cEZP
W3Nk41l7e8fSs03AIvCzZ4yvaXW0qa1qoZABDlNFuDlwrB8jlyKnwXXKdwA2
Ezp52UEmBDilBOIGgBFZiEjISxhAHxhjSKAHRENIHYZx2TbmdMSCgKmL30KH
I8qPjshJAIo/JS2e+AwAgbIRD0GbNuWDZBk24qYY8wviCbgdRI+MaDIpwS6A
BwNEMPAVQAdoJKYsSJhYgDiAYAATgICAroYEF0C0gZAK/UF8UImDnJ9evH5x
flmQuMz5r7jJWpToalI/0nxjnlsxfs0mBuYfoIzweZricKwM/WIADQESQc9B
YiIkdZEAENkkOMmACEGqYqysjzSTARAMEArDlErMQEGpBxMLkgvoB8QiSF4M
nVaI8PRvWFYAsnAP0B7MLdArLj0g+xhtDJxASmEEnW1TjgzALxDuAEnhqdRC
uQ9AFgwxeBZ6DvgMXm0RzgsV+mSBejNChJI6D4QEzcIqg0wH4wfzIrrpYUbd
WuWddrJ2O3r1h7e/vW3Oc8nyXG9o9b4v2Z40bzeCE16PcZtzjQIXuCdT1v4h
mUHSoUwUabZ6ZMjoNcgG226CJLBDHjrpaQPqYuuoi29AXWwddfENqIutoy6+
AXWxFnU1E5idoYSKRqmVb59Q0ayHsHlCRfOp8YSKiyEPs0t5STDfIVmCHmUk
wSrBmkiS0xlhMNQPlHQRBehOgfnG1IuMTFHBPLLi0ZFC6+PT4jtIsOsqVYxm
VAx2GiYc9KAMqYs2fgADNSZ8CbwD5AfjSSIUU0BjAC6B8oHUJXlMMhc1nZUx
NIlDNHGFVVi2oLmAnu0mWETM5CpnfUaFs1lGxRCRmTIq6L3fV4kF3ZwK+vp3
z6kYyOt1dsjrdSivV+Pbhmotnejr00sdAwwDM+BbJjTyDawrts662sRKZuus
q02sZLbOutrESibX5r7R2WzvmEvcXts75pI2YPeNuYSJYnvHXHJfsb1jLjGM
6oGzzzb3U7K9Yy7B3mB7x1zyyGO7BHFVn7SgGVBMFrIO0CZMKuATmEsYIhhK
0EeYNuQnD7kNBAbcA7ML2hQmADoOzGo7eH8UMmgBKSIlZOVj8ajMR4+nioa7
s3a7dr+eMeoZ36hngwV4tkmycwq4T5/7vhDUfYfcr2PTnFbkmVNZ+7qV6q52
FPwFeVOcQsFclLu0Tp1zd7Fdzt1FO+eulXKXCFfGIksD33WSIMr+7afcGcs8
jaTcAYRHJhQIJgMfKQms9ijrptxdfLWUOzziYSDl7uKrpdxJ64+dclfqpW+T
cudGtMEWEaqKit1WVMj7pdyVgJ/tAfh5CfhZD/CvUWKwIrhSNj4eO5hQHlgs
isgkz/C9oFpBuYHiAkytrKKgVkolRNAqBwsqww6DOoLHQQEGHiocN8QYZ2A4
i/AUEBv0xyIjHZ5Fi5hwHIwIPsM8wIrABxgadBXoM8uouFTE4KUwIaA+QDcC
TAOAD5BBWkW5EstYjWSQgfdOuWvzwx8v5W4vftg65c7ED4z4Ya+UO5WyvQ1g
4Ac2YABvxQ+M+IHvxw+M+IHvxw+M+IFvwQ/bpdwZ7MuRlLttwEb1dP3wdil3
A7qVD4M/tiUsNYI/RuBvR/OvlBR/1JS7HSXFjil3bUnBGppzr5S7vV1lrKE5
d5YUrKE5d5YUrKE5d5YUrKE5t5EUgxy6S8bdxtzKdjUim9zK2qbajhl3Jpz7
R8q4245b9824I25lJpy7V8bdrtzKTDh3W25lJpy7LbcyE87dlluZCeduw63a
bfDtE+6aLotu0p32WfSS7hxD0t0Gjo2dfBrj+XrOTvl6zlhUh2+MZO+6QjB+
XVmRbQtbZp5M/ERVsdG266VuKDz43rJFJqIgClWYBbYjkyiMbNcRqRCeH/uZ
H4SqiifeJF9PWr9bvl4jRv3r5uu5ka/8KHD9yIcv/Gz7fD2VWr4MpfJtGYpq
PmPpZdJzPeElUWoFmRumqeti5+C1ysqEk4ZJIiyMIQ89u3qfrUxx7J6AubTT
MHZkEFhR5MdJlkQxLEkVa+6qQFlYQDuNob/SiVNYfNuKnUgEngQqigPPt2wv
Cu3Qs6o8TRGksR84wGwBEAS8RvhBmlqeUlkmAnhDIEPbgaEEbhwIWcfux7Ao
8e+Ur2dE+3UAkT+Wr7cZlmB7OKQrLMF6bt8d8/X2xhIPnK+3BZb4Cvl6bsQG
fGZ75evthCXYgM9sKyzBBnxmW2EJNuAz2wpLsAGf2VosMZ6vN7j/g5tJEe4E
w3izCFkSxoibWwHOqpPhJECXYqrQnxEbBnob3sMIIGRzj+GOu4e8DFwGAB43
pIk80mSkP2s3gPbrGlkzHt+oaxtk6znD2XpsKFtvcE9pt2y9i262nhEzHRby
eetsvd52Tytbr4t2xlBOqaFMaGebbL0m2vnG2XrWGMrZJVsPUU6F2AxoZ/Ns
vTbaGUM5VT8NaGcM5dTZc320M4ZyKmRpQDtjKKdGQn2000Y5QIt2EvmhDLIo
S5W0oySwhJPBLxG7aZQBXQaBUADQQy+C4VRzYHkBkINILQfRZppsmK1nllP7
Z+s1MBBrYaB2tt7Ge+BsSzeoEQxtmq03Cob+ANl6Bb75Rtl6wxuIe2Xr9cAQ
22MDsQJDbI8NxAoMsT02ECswxPbYQKzAEBsCQ9sgCDYKbjZDEJ2ztrbK1rs4
HkvXc4bS9bIEZzdQlJJJrAPUgfImwPg8inrEcLrEw4AkPKQnLkKLEgqTQgIH
crCRVOMUw5BBHuAqhThcmDMnRRLAyMIYI/+ki0HfgY3T4CY4BxGd9gZq1KJJ
hR9YTFwNOikgkBgGbpFMCiVKI+AYh8Ly4IPlm5ChafBr8/X2mweKFCCxt8c8
MJoHvu88DIPGOrjU6eXrOW0HVo0WN83Sc1pZes5Ilp7B6g+tnbb4BtaNbUm/
xnVjW9Kvcd3YFus2ivVlni+SKQUn0QnH6EGpIvuLxTypFrEE6+fzZHl/u7Jq
qF5DoG2gOELwqoBVB4r3IdCJkeFA15Rwx8GJRZWmMKoWZG4QoQwNSOm61iao
he2xebtd5F43Xi9VIIa1Zwwl70u0n7bxlh+ujwnHCX1pCv/T9euc0tUN76+T
GIvlMSU/NsveNZ85LN18jYuFfYpD66YGIs3VvW4fNttNfhx3jztfnwqLFm1/
EwfmtqM7YsY8SGPgfaVXELLuG4LKNoHfdtNf08h+7Cr9OvtKlyyQILMiaiZD
AAjCEbA5iDMQhYrkI4Ymgwjupj3swirzBfpGLv7yQNyCDQ+xi1uyy/RDn1vW
sUvjmYpb6msFOenB7cEu1P0RfnEfjl+cTfhl+wEaXf40zDGOcb8Rx1jGc490
91ocU8UEwtNovUSYu4FAgtAFAJIwRazvpqj90xFtbkysdTCx9rFOocM9TXIF
khuwVNxc4mndKmVdLugc9U1pVFX+ehPWAaWl6RQ5Tc4IOqB6PixVF5FhzZtH
5uzdzqyE1dF1UvKIEmhgnQAZgRnlUp4yWLhCA58Yb1A+Xs8onxFPHCIrCdPt
cHUZYq4M0xdsG5cfJJFM0ViLyPCPYmowQiEFih0MMYuyPjNYGo/yNF0Ad4gp
0GFCN7uU45mklG1Nhq0iwoptfGPqUaK3Q4aePoPUQzMzohAZaMGO0RgHsAbv
gmaxlpuF2UJAnYD7EhstUFx2DyGqh/kWjWWvMFnr8MBetm1zco8NybMGNoms
hsECP/vNPaO55/vNPaO55/vNPaO5519h7gdS8twdUvJcfdSm1hstbiqsovVJ
ea4pKS/g3zI5ZZNdU7bOmNrECGbrjKlNjGC2zphaawTDKNjekdv1juJ+mQxs
78ht2qrdN3Ibd/P2jtymrIx9I7fR2t07cpunIds7chtUOds7chsGwvaO3IY7
2Y7xmFrEmLdjfV0ITCAhwHoCLwKLR5p8bDqDU+EHTOoVODKbJhsoLiF9ant4
ooykIgnQWbgHxH3sYm48yOg4GO7O2t3Y/XrGqGd8o541ax+420a8G4S3IeJ9
g8JYbs/R5rahvXaXuSPusj37ss575FbeI3cL75GPxSqFJ90oTqMswi1OO8Lt
WDuIfJFmduq6Tpj4vmt7SspqAy1RaeqL2IvdKA3iODB5j0x0tLX3aJTQ2GYs
sBmhjc78iEms0Ue1DAjJH8iT5JKda0wlDck4dgd8SUbz2P3kGL1JddGZr+BO
grY6DiV3zEAOvz5hPrRDqW8evzRixto6Djch7XEZyjYg7bY/qfr0sqtuancS
6M+MCqlEZDxgFSyCewDrIhcr+SROUTqCCuY8AO+QCfsg3KP/A+PYHWKhqGQh
o39pIzZqPllx0d4+pi4P0SBGmCh6OCb6xl6mcT6KvhEfDXqZuoxUeZkABAL4
dBMEhIAq8f1k7mEpCSr3BjBYWcP8Y/QyuQ/vZXJNXia39DK5bS+T2/Kmtzp6
UHmWYOg2FdEPY6zCghU7LDx9rB56zfybelpck6fFQCpV5RyA9+v7ATAT2XkB
ogqHiZ/Vp9sFTPWSf/4OLk/g8qS8ZH/RtZXw9vHSSqOFlQhSFs0MiKWgFEso
1oaqZZrkUiNdo/1syb3Ni8NVJBuB4iMx4h1HeD01g1IqeDAptVnw+85DNQqr
csBjdTSDb6X3h0J/q04OlFIjuxuM4og8fJFHlbXA8vWo0FOGli/WwPGxuI3+
4GqbWuBWfhqh5xzQA5a+oYpSYEdHCUXJiLYQJXn389Xpz5fn/BWsDLAYsMxS
adbrfCFncBmWUcOGtFOIFlOhNJPKETYUR/Y6Nmy3dgAUE6tZlcd0yFuQoMer
pVw4HH6uoMaWYKEKvXpY2XJxU5JRiVla9/beCTceAsg7JINuVDwMCglq4neS
EXhbZzIGhYVt9WzX34vLq+72WL1ykVjkPx9lw7oVMy/KFH2BgCMygVDCz9DJ
5FAxvEChy9a20OWZxlTGzEcW9CiSJXbQzQY2hh/i8VQubQko8l8CZyMkgW+j
jn+l4LjXcilvFPQqR42XJ4ulmtzitS+aY4lUy6Ki5UO39UPDivBknP+wcY1R
gEBetNYhR4vhLqeKOMUbURi00vyMVSybIOEEcVERZkfvOamw0AGAoCfMbCo1
H6NedR+b2N2twhuAYIhYiJs1XYEkmBfTUFViWtKwivFcKUR9Ty9h5m6ncAO/
OMsHa3c7R844pDh9e4kPY0e0ubUibFm3XVJ9rpYfUGBNj9SRrvapO9K4JZnh
M0ccR9YsZWR9skPM+pwm1yh2i1cSXIN3yiaOaz3l2vgcpbXOPyCKrTqoO9Pu
J76ltZNJvXmct+cN72zDcHoprGmzeOepLsu0flb0kEdnRffVNCsibc3KxdCs
IPB+B23iE8bp0L3oTodIW5D7ivqx8XyIzTTwNknHLQ4ZTz0ekwCF2Dd25/ue
Yi4VnhZQb3sOrxHdXD468mxPRdZPF3rS9CwrtVD/S5hPEFPAy/IOgMw6J1NX
UrEx7TmwfhvUqP96XrGeaB3XoMYu90Fzo/Y8alKjdDY3ZfZsZQki0Sym/UsH
64eCLhUhln7Hkuoholi4AeBvjDHdHaFuAKRbpeZvziXu+vR8Q2f6PGK3eSSH
uzZmkg2eHXWCGZ9rs0fzu3Gg1h/tej7Q6zOMJXtcEO6BJPvv3oTusYsjVG/T
Nr2x+LSpoVZQT9UI7f6DUYi1RmNEhFGIBfXayO8lsPYvt6lcKcbw8x19HkQf
LzazoqAl3ehBaQfxJ8fjzg5tzNgNw6ltj2xuyDyUHZPdzWkSNAGW4yKHfzlc
aLpfaadzy4CESn3MM4O/I4qMiEOs9qqoiq2O6clSvAgwPsQDIAzHGw28rl/i
sg5esfjOr2VUprMIpCyp/H2TgoYZsObA1I+V7Ue+JeIwTpSUlm17YZbGobDC
yEr6xl7fmyEz5ISBCa4tKoyTSDH6JLOwci76OAL0wAgKvIgsdHBEHm4bRlRi
2xUYWCMz9GJkNkYnuBJLxflUtDfO6AwvH4OasBR1k69OqEP1XBz2TV3cDMmL
3MLSASDn6iPM2R/F8qd1wzVufoumF7DBtZy/05CWpEPfOfrlqLtS6wxeWBUs
4ZyQvk/RWY5RGy5GSMXkl4opOgbNXolJWImLCtuNMfQZyyFbFAynMMQpiKnS
hIMfPDp5wfE2hb49J5NewrY/eBSvGlSkCUb2gGJ/4hsgcmDemyb6l6N12GiU
URpHehAg8svoPEdiSAzYKbZCYQCgyZe0T5/hIgXpRlhpj2nVAGfddDYQRX8i
m3Bjz5kkZ+TYPFb6F+QEipMYQyYThSFMdoKxRm39e1rX/EWnC5YAzr8w+u67
xo5Q4za4awnXqS5wo58lq/9FLXNQUseYqwwWY604wVqcyhn/6e4mhqkGke8G
rh1ZIOPgvvI83Mbt1SEeldPjGMSQ8Dy7qqnDL/L8Dhs7/amUUfxysVjx87R9
H0zONJ2u7lui6Se48ZkCtaGOYXqXFBIYHgv32PFB3wjBf3j1pveAlq3H/Ewl
FBTnHFsW/OADUeuBqzuqvdDuWzWf3Q4Wd/PX+jgPREIXQD3Hrfc3vhyZk/K/
4nrx1ASeOu7dc3sX9y/if9sUvTc2sPGBnVxkxgaoOP521FDfRMzQHtlO55+3
Wtjm8M+qqH6rhZ0OAm21sGmxfeTeOmugzb1VVe+vwL2gLCvuldYfgns1Mz4A
99bz+Ufn3m0qFxkb2DiBH+PuTQ3oY4Cq+dmbe3eqhtRqYZtiAFUMbquFnQoD
tFrYNDaX2Pd0cXMDFi9xREf9wqWvw8BhFDXUb/BHUL/Osf1g6tfUtz8a74Iy
0vE5oYVkkoQYRQqDA2YEfsVsG4X5CwGwglnzIjNkaEPaMeVhCuR8nW3mZri7
71NCTgzvMTcADKJqzferZ0UfHIp5niNl5e1uF1+TGwfjYI55ArMDlDrrtd0k
YiQvUzvPZA7zfErxexgelI+1d3L85vKX868oZYAnwdaDFYAJtD3MSMBoBoma
GVS6S/kiAW2J4tanxJ3QsD2Hro/rhhghQ4KGaQ/pwChfJ6noM3Y8FGQJGTdW
gGUGmi3AqsEKJnQ+HFiOeCinS3lTMToO4Aco36LsFugYXgcx1G4hovoh8Bab
xD00ldHpWEA1VjPgCMQMP2mXACHz6GoFfyT87MUhPz294het01sev5+mj/l3
IIVylUxgkRI1ESCILuZgVuFu0yd5czvrndVWnKhSA2A0g5onuBWmmbq9Vjdq
KWeTvOjFNINXT16o2exGzvlBVRXNeaI3wBplTu5u0SbLW7uwOffp7QJ3TPli
ie9eZPx2qTIw0cjv2e/cYj67NzfHxVEhg6AzU3r1jM/VuwX2AWewrKWmPmkT
77DzOBqjd7mq9ulS3Lm+mc6LE2XqbWcwRv+dOXrue7hwNTk9fTWx/YnvTmwR
Vrd2Cmd+X55JU93w6uS053g8qFb8CTxRN4YepHIcjUYPzk/PXvDkbvlB4f2v
W+2bjmoE+Xul7xnerBkY1fDORWNsZPcXByFCn3MirqWCNc6BvLSVjWePNm85
uHz98slhtTkKcyH56V/f8NOZnN7koC3RP356pamjfYDR6rp90FAVgKCZ44i1
c0ZsfpBNl/mKr6Y3MGGfv7ux32L03rMF0vs8vV2gnBtiiLxmRr0jXDNAM8Cg
uGpwthabr709pQbfUPRCzqervOCLZfdATh+onuN2EnB296TOxv4y8cSqVT/o
l4s351fmk47Kno1kOy+VPq9pXguG+kxPdPhiYEbnYHAz1Q6d+lm3W1ZFwrMz
fx2sT5mg7EbgliCaQ890jE5cULT6cEDMbhMo+jEN06bkR4EptngKrIsprXbK
7ISnDqLoNEBNkwr0JIJ6aNYSWdfZipQP+eNPjyfJAkTbdI7bKD+8Hex94KLS
sOkQxJhOgQbtBEAAbARPod5wyLkGoD8m+ACI2ovpbNgMLVJQNcIvDv/BuEFF
XlJBOaIZnhn7tXq/Nvtrv4EwGgjfZCAjrGIMq6GgC+1WX/WiMyxVSv2cKnxO
yTXZFFSFdLEn9GAZqoHWVJvRsK3WkVzGviTXi1wHKVUjoDgUY3SGpQzLt2W7
wzzedDuuzaDDRDZ7JFltuHhIJXM7h13b5rIxdXV1sIWk7aRBLC03zOLYtz0V
uU7oS+nAH7GSXuykYeZ7mSN8UZmWceBGsVJhKoJQZbIuh9FPxGvog5EYXZ3g
sheRswa3jhA5t7q+YBD8sJKdXIB0AQJ4DoZTgYc6ikH7t0GNaSmNLWiBfH55
+fb057NzgDy4MVgcWljog0skYrzj4qfnP2scV7/xdrm4BQLrAq9D0NAmFbS6
vjMooaO+Erpk5vModaf7BcSrNRFt31pPvQMSXiCGRP3O2BWAAeB5dat1+q1a
gqK60X1r5kvaxOo1NDjknz8TNPhyyOO7lZ7Fcpui1KNHvydu+HwMb1t9XCzf
T8Cgfzf//tFMZatHX4akZAf56rCJ5vmJNwucICPkOMif4NaKNioSCWreBwKY
zbrhbHK5lPf8P/wNvhX/4e8bQo8q0AEtML+9un90BOL46LVOqNZBJNFv7FN4
PG430inVIUVcxAJFQppQlQOsDkmb6sT6wmFehgfMSwIkysFNSos2n4VnYpCv
CUFCiR3PKMcWz9C2sb+g3m2qG2EHKJgkVUoAAGXb6P9IMwyTyjB4BE/3tWIW
+TgBMXlHwKZOJJ6mm6Ac3AmCLOaKP75vjWC4PDkIUZnhfoFP0c8gTW1yGcoU
t40ByKGTNaT9eTok2gvIEUB1sOiEaJTxmN3vULkUF52FoUVeG+frTf5aBLXf
OjBaB77JOnxVBOUEOyKoiehDKCf4yhDKCR4QQjUb37IIwRiWGhR8O4MqEsV/
r5BVKDM/cx1LxcoOU8e1Q9eyAxlJ244zz7aTMM2yMAsdN3CsOKrOZ0nsOIDv
4kSKLAEMViKridgOWkUNaFWKe74rD7CeLBrhAd5asgZkEF2MVbmaBpMJCvWJ
OExzRcfBNq5JUXfmiwpE0PnASaJuVzKeqaNe9ufD6LzqBYM677fBU8FpC8qm
TRasiGwhAA4prNAltQeyWFIcFKxhFlDQTVpUHQQNh7a3ZGFI0TpU58rHHBRs
SuFqm8TuQG/HxO5g912bsutsBPKZhV0AYJ4IVMpAiKAmQKenFO6CruEIkTtY
BBgmHOI2uCtgECyk+kJZhIV3YKCORG9+hilyBqGzvvdb6DxFRZFS3HoDkJFK
pHpJFZTiCB0ZoPk8HzsHfBD6ODywTeB3RiWrQcNFNjYCY4MpAKSCpb1cZC8V
8SjdqfemuV+r8vZbBkbLwDdZhh57b6DzLgd1nthZ54U9lSe2UnnVCCin5wBd
qB+6OR27qLxOu4MqT3SroxiKsokdirIJXZQNqOYQ/q2Ux5OWTml9McAaIOxB
mcDvOMWdFkml6oQ2t13UAwHlyXkWmu1uirfhRrZH23sBfg48hgdeOlQ6zaK9
GioQBsIqNMXYtnu1luT36yCjDvJNOkjLMzXWrxOtvPq8UM2wEr35X1sKT/T1
ux9+UybnG8wr22zhN5rX6oMe/YBJSDWMshT1Hug0kLi63J8V4vAyhQMAwQwj
dDJUpBiAZOMjHh08EOImIouoiw6hGcBJsa5uhzpzsDdryW+/jjHqGN+kY7oW
glBrSiHY41mgz9EXo4OlaYsrv5YIpnIdvQp21W+ttBtKsURrC5EZkDIAI1RE
+NevTTFLD7aWrt96az2BfqwEISXYmr5FgTsO+f6AVDCmDOPUUquouSzI+ndp
rx+D0aiYYpAy0CWAHdDZ51GEGlWGE1TVvsW180Nez11PkJZ5PbjRuzp4Um9X
VlpnpORN0e73nVYoHPZQz2cnXBzk8quT00mxsde+s4yqzYuQXqTB5jTnvVSU
34FD2jHnYjAZwKOoyNRH9geZ4FB0Myy6S0U0AWCBbYJB0D4KFqxhaqEcAzsF
LAvXpwoOKZZLEg7VM42ojKlPVRuAYJpYpHOYmHPY3Yhv+A7LQ0Iq56F2zY7u
BmN6ocyBHhZzbb6g+5M2h0uHJ15tGRJ5CWjgWdo9PiygzbD5A3eKrqEC6NAc
JEBtVhbLkA0yfAoKu3qJuGRgD02gYeFSHgbYe6mLvh0gEAxWp3KaAI1B+kVk
SYY6aj1EX74M0NUGVqhKyaChHCtQS0CAysenMMrEeEJdq9caBfc73QPFA/0H
hYQ0FKFkwfqiigJTHCzrirA9QTgvJBIWqFIdBwjqE9B6RBVQ4assZklMtbEd
FDqodP0iXDAzJkpu2v+NzBHXQzUJE+hRQC9wgg5IVqI4RMeiVYDphYlFnpao
9YH1pY9aHBStsphNxYAF1SPwdDxwhhMSiB7njHFL29PeCk45rCrAN9IPGKmM
q5Mf3+hvUFX88Pby16MmfqrrlNXYp35kKDFusxplnQzRjg1vFOL1q/tpQEJR
tiZK4rVZQIYUIHz8YVPmhpKXm/NZpjyNJWo6nq+y1HOCwHaxRr4VZk6mHBn6
SehkmZv4se0rL7BEmGVOVB2m6wnHT+xQxHhocugajsc1pGrWnRvbKLT53hiL
laptBGN1q4hUHxq9HKggkmF6AHAawucAI9QdEnaCKuoClE6oABHuSAYYTB9T
EfzQLktO++gcsHzMWkGpKjDYDYA57ltEGIfQAX8ld4zCv2EOOWq30iqKgyw6
gIc24aCq3R4QqubwUL+jxzZdPNR7oOQV+qtgEgN2beC6Fmq9LFDrpUatRy3U
evnrVqhV14FRZDoJUguYO6Lwikc+o4Tssow2thWZZiHFlUvyB8EjmY+1KYE+
shjRTkRhsDZtkgjHQILVxA5nXKLDysFATqDqyEd7K7HwT8vCfI+A9seB5m06
7g+kPeaVhUhyNlUYtyPU97g3RsnMIdXpFil1vJXJPF6Acqluiv3vYRGPR18h
nqV/h44gEfW59qJ19LxAUqi+ap9of1lK6PIvXSpY0In2+hqSTjvITRaRnkTg
TYeUzkm3PjmiPDKlfE1BvJ81Cbv8GAWn0IV5m6Hq9QOG8ryN47ssFyGI01TJ
dW8B5l2+ftna98do1aJPn/lW/z2FJ58WnCeg34+KKNYjld49Ohx7ML+LywdD
eHDj9z5N5tnTitftzR99SgUXX6r7pw1Jgc+LsX5WT79ftR4U5SKte/gpEEPj
wQm+0d7ojcnyQ/NB/cZnz04dN/LxUNzzE/fMEeeRa52enIkT4bi2G/Zivc/O
ToUdRPaJLU6ePzt9dnIaOT6eVeufnbnucwsG8PRT8z0Ovcf17OhceAGo4Wfi
xDo9Bz3sPLcix35uP3dCv/ee05Pg5PnZie8+Pz07t2wrPBXCPfXs85Nnz30r
EI9hRI0Z/MKa/zaJfJDCo6oAtSQt6+sa8yHaE5jzatHesod43Kca+WBYgFRE
frDR11SdPKB5A+QXHmxfooGd0D1ro3s+jO7paIiwqN/fhuFsexjOezCcGWD4
dnudBhehYa9zF0lZPV0/3HuV7TgGAbYzUmM9J8QYUhugJ7YNPfEBemJ7WIsV
PbFt6GnIrGPb0JPJrBtcx4aWo6X0Gs7MUEfz7r6gbMCrtNWCsu0FRH9B2d7m
Pywo215A9BeUbS8gTAtaYqatSiKZjcRt6n43sFq3OEDz4LcmSHtyqAuWMG3s
fc8P1iC6vvOudQeMuFWHsJviccRqq7Kco8GqKKKydqVtua7tCC8U1iaWb6kO
mxZw1/KV8K+PR7uHvu2ngeUnfpVdKZTv+W7gWSG82ZYe6F24G3sgLMsWNvYj
jpMSMVR5pdJNHaEAOSQyFVIjhzRNCChIW8gsTmKZlEAhraxy180sQaNDfKA0
PoiFtBKF+CBDfJDZGeCDRAYyq56TvpslqUJYkAAsSDxbyTgjWLBNIafBRBxj
4Sa9bgZNU7sCiOX2k1Bs2O+9uYRiO0GYjoR6aAfl5hKK7QRhKgk1UD+rWE9j
yQ7MDFaY8gdjxRxOgWZzZgwLbJJFC142ao6vb64vX3rHMZOUKY3T6knDbXsP
ydTmnuMbtMrrkvOlGdu40paLpwAE9afacN30LOtSphY4spQOetrr5ooA+byO
cNfGd5VZdqhTErvBIZVYgfZmd0UeG95U1dY/7ObBpQoDKGJTVdcR5xhtA9Fa
3MhbMFUr455/0VLtjiJSZjLBzEaMUivz5Ew1WB2hI9yb92DACjoV6q0gSbt8
kiKVqIVmNX7ZrmN6MLGjJ+2ST43l7AtPu9pqJdfjxrQ07L55ef7b1ZvL85NX
mmG+rY+++XKjk94qDZuKMMbqdY266vstVLVHe18Ne+0by9M98bk1kRuUEv3a
vnnbrnzzW5ZjbAzKfC5PY2hj54pY38i1b5lCO1qdbEU5V0wTU8iKouPmYomh
CJiVFKIOBvs36qbPrTtXRKBc+hXlhFp9VIBmm7yLtNHoUit8rdnEQFejEBEA
BvGmVIRc0qkCAQWPYvbUJrqiCtvtxD939MQPb3972+zSYRsLdr8u6ah30AiV
X17McYdxXtY6Z+RFLuPviNjKUJNmm0eGmGgDqblNy1bEDx4ztcUiNMOkHTYY
9efsEPXnVEexisO2/Cm08Pr4M8NpurbbPE734WOe+DqNBZic7e1WRBy+t1sR
5AHb260Iz7K93YowP2zQDaTX1byDlGYYPhVbOGeKjjcAXJ8K5A+ga4v2jkRa
plf6yDEw+tAuIrQiH5aIRVRwKIzwQRcWzaUzFYAtpEH8NqhsLLJuv44x6hjf
pGNDAUSN2h7/1gKImhlV2wYQNZ8dDyC6GCw0SqfvAMPo1D07xH1HmHUsBU5h
8b5PrE4lX4HBQoe2Sm2SHQ4mPIQWkxHKF5dSyqA1LDsVEpMbY9Favd43gAh4
GGQHan/KHYSeo9whBZDSqbkRRbFiNqGgYzQpWiqmejgpFSbyfTqhxMayRsCo
MSXgBBmW02lljm3d/40CiHw6xETRuSSgfjDQjsLtQM7iFQdZAU8Tcuj86pgq
7TkYtZuSVEJmipmTkBpzqJSYTWejSPydhH3Wudg2aghPzjJHDdE3Omro4rfN
oobqxr551BC9emgr2zssTkXfPm6o6V79XSKHijkdNE68ur50przY8j3lu0kg
UiH81LOsxBYp1Q3w08QNQxtWzorgpqgqF5lmYZQKV3puJpQXyc0Dh6hvY4FD
ZQz7HiqElbptRIWMBw7pXg6kCLsoC6XghZCjs0Cx2HWCfAk2B3CwleL1zCfZ
Q5W0QfUDC4IEUjYm4wBIgJuxOBZVC1QUp49FhFslxJvcNho4NHrizddkc2Ts
PWONqN1urFE164f0inWRRt3bayvm4ret4owuDNHxF+04o4vtouNBN1pUjM2j
U9vjBPEkUCkeMEBpgFh6zSJ7xEcMCfQMtwV0/qKMseJaGuC2uQgRPdp0sBwg
bYTobisHu/pQTepQemKEegL0tKDK4Bhb5KH+wHp9LsZ2x/RyRcAWbWYb+wia
EjApqBZQ+SJhipBsQr5wPJ2TdKfqbnUNJuluE2bkFFtXztCRj369KdXecnKa
YUZOe/P8ohTo5V/a6enUYUYXO4QZibgTZnRhCjMScRVm1I8zMmVV9+OMRBM5
1d192DgjV0w8a+LYk+eg4Z5PnGDiiIkT9WKO/seIM4JV+sZxRiengXcenZ+e
O+ee9ez5aXh+5ltOFIVh5AnhWl2wwb1TN3j23PbPnke+71snri2i8PSZ61jB
8+D8mY/xP4Y4I//cOzv3bdsJwxP3WXgSCvjsuPD6Myc4P33Wf484ccLgTHjB
uX/2zDkVJ5Fz9lzYz587J8+hn+vijDqBRsbCAVal8/U2XUBlax0KYMRSuBZ9
cKiOaormOPwIKh6iPzjk5ik+CFZ8iAbdBiLuBhv0TAW2vanAe6YCK02F2m2w
PaZnPUzPN8L020UjGRxGI9FI2wjU6un6YYNvyjOIuZ3hH+u5Nsbg3wDNsW1o
jg/QHNuG5obMU7YNzfEBmmP72ZGa5tgamhtc607Ekhs0nETa87bHorMBf9ZW
i862FzT9RWfbC5r+orPtBU1/0b+l80AjtG8f1EQqpoSH3cim5qHeTVxYRzbV
oU3jKHI0tMnZOrTJGbPH/U5ok4gx+GcT27zUwE0bvWubY2hTEDiuI0TqeI4F
v53yOQdb810ffnv423GcgH4L+h11Q56qkKi4Dn2SSQCvVYlylGfFWRKqtAVi
vMStyszHme2nGWEXSdgliRG7ZIGKfR3y5CsvVRqqSLfyN4SygCzwstQJVBJ7
QgJCSQGhwEzETiJk5KSZsLPMkVl1akASPnDok1Gt1TV9qFbifqKODbvuNxd1
bCdM1RF1bCdM1RF1bCdM1RF1bCdM1RF1bBRTjYRHOQOxRJIOV8BjFTLa8qFx
O9FIM6PhQ+ub2yA8yinDo5zR8KivMCRTm3uOb9idUO+POr34KKctXGsze9Oo
KKcVFeWYo6Iu/q1GRYGVu1NUlIiHoqLwmx2josRQVJRJrlamCcYEbEI/o94o
meeLZEq+QDSNWrVPS6I6qYjpb5okHp3Pk+X97cp61Dsk9Ss60+mLvzcPWjcy
U20+hQ7Gt7i0te87qEmCiHIFSXa61iY6h222XbzZruzozHe9f9rBXJ2k/BLh
2Dag8HB9fAVO6EuTQ1Hv1TilKds78Br/W7PF03zmsMQX7QOuy6ENHRJtOkeh
G3c2DiGdB9vSqY/A5nzXQ7BN4zOHoJkYvxF65nyrzSHTztDLrpqsz4QE4ePQ
QW0enZmE5W6o8rUgRANoy44Q4ADwwU2g7pmQu3DKfEHa6C8PxCzY8BC3uCW3
TD8Yzh9ewy2NZypmqa8VtKQHtwe3UPdH2MV9OHZxNjE0th+gkV1omGP84n4j
frFSEyTU3WtxTH2Gt4eReHhYIEWXgY4KU6oFRecFOinaS73DUxuMYgzVdBAs
PdaBNQikHiMb0E5Bqbe5xBNbVMq6XNA57oU2fCpA1kSXQGlpOkVOkzNCDqid
D0vNVZRBLXnzyBwP2p2VCm+DKQRDT21K0aAT2/AgLR8L53s+LkxMV1SAAW5R
irfZzQ24CsC0itr1YjibXTk2BGWa0FcF3T06WHKvbg6ETbo7hE26Vdikc9he
pgKmrw+bdA2j9eyGr/LhA9r4KKTVxjzbb4NEf2D7bZBoY57tt0GijXm23waJ
NubZ1hsk1Se98ANFqKjyMnQcKybT8sI6ADXD0skMA2Zjm2YxxZURAUoyjFf1
MIjVozNPE4FgBUAAzDrwAIZ/Ovi4nbTPQu90Z21g5X49Y9QzvlHPmqHO7oan
ohg4qX0qyppkJ7dnzLttva1N8qrCdvO+Xd68zg50KzvQ3cIOjGXmWzKNEwAS
WaKCMJKZ8GLbCmUqhQg8L/Asz088kdiJsCpnrC9FKl3pu04Y2UnsmuxAE41s
bQeOEhHbjLw3I6LRmR9Bt1reV8ug4ycfxCZ0uSEEUG8jhIRz3QGr0Ih0m/sP
rae+nlnIOmahO4Zzw69PlD2z8BsYhQbuboDccBOyHpeNbAOyHjIK3SGjELQb
YB+XijX5KSUIOHh4qk3KNKSiYaArZYDAQKgHYBsCog/COPo/gLjuEPdEJfcY
rcSNOKj55Fc0FVnXVBxloejhWOgbm4rjXBR9Iy6yTCX1de/MlmIUYiytFyEc
htd7VI428TEIVxEeB9TZO9FlXVKf+/CWomuyFN3SUnTblqI7YCm6jc0YmEIr
wLnE9CgL5xWM5SgzmH/uxuafazL/DITS3LhZ3w8Cj8jNC5BUOE78rD7hISKw
Ip+/g8sTuDwpL+EJveXt46HOo4HOBB2LZgakUlBKpbGw/jVi6ZsH9ddTMyil
ggeTUnVI/5bpxpsN1SisygGP5QkE30rrt/ME2mHX1MmBPJ6Y2iPXFlx1SFRh
MewMY8IFnVoSudgpjypKRhmWeXQyzKbE81Z9TO8H+J4pqp8dYSlnPG1bF2Vu
9ogE3s9Xpz9fnvNXsDLAYlc63h2pqPMFViHHM/nKCqLtqH2M2tFMKjts6B4J
XZ3+8+cx9mu3cgCUEqtZFWhzyFtIoMejpTw4HH6uoMKWQOkWRC1WpoQqrXt7
74QbDwHaHZIJty7bxywcqInfSTbgbZ3JGBQSttWzVn8v7q6628/+rjhc0jFX
Y+xXtzJQjDtDweCRHwldyj6dS0DHM+GBpAmeFhRKspYpYzcJEVgEEg8xsD38
NkiZS6nEIGzgKRAwoYd1gyObq/6hmwWvvS4jAHLNm0ScZa58eVMVJpCPqLyT
8RMhsHENR4AkXrRmPkfTAA/CgvaKNyLbt4LWjKmoTUDQOw/9pD5lHfDOE2Yb
l6b5GPWq+9jE7uK1G0BbiE6IfzUlGY8iomEV47lSCPCeXsLM3U7hBn5xlrOh
VEKMlRgFD6e6cCt2RNtVK4KRddslnedq+QFFlD63FK/ojjRuSWb4jA7AGDot
CQRs8crOkaGtGAn9BEVZzj8gVK26prvR7iHe3QKS1I/HeXvG8E7jAYGtA41O
dYLJ+vnQgx2dD91X03w47fm4WD8fljJOh+5Fdzqc1nRcUTc2no7W+XjDSnab
ENgWa4wHwo6xfiHhjd35vqeDS922yJPFUr3tebNG1HD56MizPW1YP12oRNOz
VfWa/peYcH+PTCzvZqu1XqSuiGJjinJg/Tao4vP13F49mTquLI1d7uPiRnEe
VJpGsWxuyuy7ChNsJ5LossJq6VQRALAncB+WxKA8f7DKAeHSEb0daW7AnFsF
im/OJe54sLiBS7AzfR6x2zyCh/VszCQbPNu3Jz/V9qTxuTZ7NL8bx2T90a7n
A70+w7CxxwVVMPUuqLH/8iNjurihkyN0T8fVmGN2TQ0Zo12xFo2DRW/cmM62
Ekj0Wbf+z0tg7l/o3HPG8LM+A32whsGLdR6Lgq7UvW70oDR6+JPjcY+Gtlzs
hpXUNj42t1oeymjJ7uY0CVUXtT+/HCo0288e6twyFHBl4cYwgPIs5bE+LTfC
Qj+pT9nMPu49WwK/ivFocYPLceB1/TzFOmvJ4ju/lpHTufBhlxT+vkk9w+xX
85+0bNsLszQOhRVGVpL6sbL9yLdEHMaJMpRhqDpQeeMyZIKB+W2dqorVmxJ0
YKQpns2W2pTOHuMOvPBxTyOz0QzyyFGSRniEG574ZWEQhApgVhhojcynPX8X
dzz8FBu0O0UOTqhDjanoWbS41ZEX54+Wdr6cq49lMtAfwMCnVcMVbn6L9hYw
ABUUIjRLcqHv+/zSjoHewK6FVYgdPIEvoGJXUYAeI5suuj5GRmQRRnNkdJCJ
CDG0Csti0Rk1sYerE0mGJOygtymkABD4E51SIbS2Kezt+ZD0CrbdvaNY1aAe
TRCyBxL7E98AkAPzTm1MyOymKR/HRaN8UsshoHiYd5sigkIbw2MEnQ3kZBim
ElDMDNyQuOTl2wwn7TGtGtysm84GmuhPZBNq7DmT5Gscm8dK88JE4ek2Edan
AIGCLlMf60jV0/Udv5gDupim/M1SJqB7+OfvcpVMsHyImkz1d19wWtGbUuje
KkWjODCFNFZxb7lNWhXrkgRQZ1MJxuMU774BM1Jj0I/T2YwSJPCORa5oom7u
APBgsIi850v1D3glnlpO5Z3eobQacJQewheXz0/DyI2qPyLLc/APbBaQw+tJ
aFkTzz/RSRxT8hD9A18neX4joS+5InXbHFY6zTJYSOj8Usl8QXkpxRD5zfTd
9QrFZzF2bYlTJbPV/W1rWqarKZ6tTntfJHQXK3QNZVM1S3M97mLekB4+qtns
iF+0Zgum/3pxN4MbYdQ8v0N8uODJtUrek9bLpzfTmVwOvBkoDAd4/uIMQITh
rUeEwc7L3azz5XKBbrbv4OLV3fJ2dge3L5ewJM0Nr+JhxkoaMnz51qbqGfjs
ET9dLJe4oNV9lNTSOiG4vdgl2vPWu8krmr5oEyJ04MCpN/tc3JSwygC5wMVz
4W0HSwnFEoNj8cDVGP2WHhU5pEqVKPpjn3ybknsxc1K8zffoXDM6TCoOyhjF
kI42CzHUUAKGaYYfNCezt3lodMsZZta10VjE3UasiUKOG/O8WgNTWWU37TuV
e88jd1K24TzSqNsGwxhhascr+V3rKezcFlKIJtx89cvFm/Mrmk0xMJVimCq/
1lTq7vwOVElT+QYhe+E9bE5kq/5iPZUoY0q7ZHU9XQJ9aknFD354++uTIUZv
+igfhM2DNm0GNJsYBwsWaISoDifXoYqJXlEQFb99jvG0+ja8Aa6fc/+U7FaX
bjsvH6TzX/1T+nmOf2Jkb282/7pcwLjmdzcxiHhk1ZaAK6Yqr6ezvrP8rsxd
bD1ZT6vpgZzbQ5Pq7Dypgh+4FSj7Nketu8+2rBxcCwLMx2xSb5FUqvWdQZYW
6eMCN5Jtq/EEbiC0ClKbKbp6ckDQejuI2lYFe7sKQRVBt7cbVa8fVTnrpkfX
BN56VpwBafk15kM05kN3b6NpQGxziuFHi8lS6SSIEuHoOaK/cHQFQh8WffUN
g8LvaqgUbetvgORkieiat68nDkAT07zlWs1oFGtb4xNYLUjdzU+N4qhEtIXW
GVqkYKR96kN5a4AlEvXNFdZeI6Drqtmo8cg+tkP82UnvsRJF7K73qnUHwD29
xZqNejmqRHGC3vXqtydzrk9UzfknmIPP/9//+X99gSm6PeKXILCnS00TlLv9
if+J35onPBpd0NaEe0c+UIKjb29ZM9upRT3ZWVb/WFb5Yzc+m39wL6T57NBP
D/oOzfXtYjpfDU8xMVVhJQJtU/xhMYdSP1uWkNb1m6lRwxrc/ym/u/2z+NNT
/Eev13/F9fpE153i+v8MjeJ3//F/p+/g75gf3CxSfvvkD7Z+mA+rEJRgFliK
ytOl0+ZB9mHlU4lH0GNxeQfrZgYpOt/h/jhgmY9PgZSEP6EpVLkJPhKQGA2o
xKor++t3Wq8WDmG2+AhmeopGCn0jPM+ODF8XboBMTmfa212brGCRTv5FLRel
p3uHCd5q6spEDQxo2oCCez9sk9uCMdKvxfKrk1OzUmkplP7RQk+0k6F+wnx0
UysgpaV3kCLxYrMcDygDVBm41TSqHaKSendT30FDe6Pqdpuqe0NpUSINs9Nh
Y2OEVC+MmP5GGvxd9GErBV9ztp2h0x+tlQABNKgvAMd+SKFTAncLsBiyPuxA
YgBmQjsEoDZDD3dvooR2T2xUgIFPsd02nV6tkVLS04H8p8V8kmLA1M10Ps1x
otHoKPTjL+iUwP4u74GjG8ZhPf22P4mnjcm16ZhtiwilrqFTr0Kx59V+ZfU0
PDewDmMmTGsdGiGVDYeglkJYmBn9b6gQKEtt+e5O208ZURtFw+RlXCSZYTfy
H4vSqyaqPXZP47GVfJeTO3ep1U1a7KdI8tYtV/jhdpHn03im1tFCFQtezeAe
DgG2OzDCdb+Y06YryItJ5bNuek/q5Z+uuZNHzzFAEIby/HnH2/I3/5CLv5v5
E8Gh/1COlxYMbfbvd4Ch3+Gg7pbT1T3MwzyfgsYs3L3kiKdvSv97ukiIWs0O
eL1BPMQhH6/RwV62SMlPjXehY/peaxY8aAMPuaAiSdoNAQ9WL0rknEoaqaqJ
ug44csSrX67e8J9+foN33OUqPaI9hpOfTvrDm8q5pKHhRgky0Xyh72x3DlqY
TCawEsl7lEr8JHk/X3ycqfSddqN8Pi78ISr9/tF88Ug3WWTTgqTHjQeKZpPz
9+QEv1ULGAr/oJbT7L4quc6BIFZwMVnhUzCUp7pwyGo5je9WBQHqRDGQXItb
6F48neFc4oO6/DYWnoJPxwghT6+XKNvknJ/c5P/6f+f5F70v8fnN9Gaxuobl
nkmY6vLq1UplcO8LfGjxL4sP5fXL6XsJKu3Fv/63d7O7eVpe1q2D1nq5uJvJ
G1m183wp5yCxE8lfy9niJgbWLL/6cZpO4fIige6X116jGOYf4M0I1a5Wi/df
6h2Tz69AZqoZ/4uazmZqtVJfiLVwNbLZHeCh/x9fLpTNS3MBAA==
</rfc> </rfc>
 End of changes. 339 change blocks. 
1450 lines changed or deleted 881 lines changed or added

This html diff was produced by rfcdiff 1.48.