From 4f40306dd82900e8b10a537fba998cff2d5f5b46 Mon Sep 17 00:00:00 2001 From: fpalombini Date: Tue, 19 May 2020 16:36:53 +0200 Subject: [PATCH 1/2] Add Security tab and sub-tabs + add sub bar for navigation + Security Overview + draft DTLS tab + OSCORE tab --- _layouts/default.html | 42 +++++++++++ sec/DTLS.html | 89 +++++++++++++++++++++++ sec/OSCORE.html | 161 ++++++++++++++++++++++++++++++++++++++++++ sec/sec.html | 83 ++++++++++++++++++++++ 4 files changed, 375 insertions(+) create mode 100644 sec/DTLS.html create mode 100644 sec/OSCORE.html create mode 100644 sec/sec.html diff --git a/_layouts/default.html b/_layouts/default.html index ca778c5..3bda19a 100644 --- a/_layouts/default.html +++ b/_layouts/default.html @@ -41,9 +41,51 @@
  • Tools
    • +{% if page.subbar %} +
  • + + Security + Sec + +
    • +
    +
    + +
    +
    +{% else %} +
  • + Security + + Sec + +
    • + + + +{% endif %} {{ content }} diff --git a/sec/DTLS.html b/sec/DTLS.html new file mode 100644 index 0000000..83d82f6 --- /dev/null +++ b/sec/DTLS.html @@ -0,0 +1,89 @@ +--- +layout: default +title: DTLS +subbar: true +--- +
    +

    Datagram Transport Layer Security

    +

    + The DTLS protocol provides communications + privacy for datagram protocols. The protocol allows client/server + applications to communicate in a way that is designed to prevent + eavesdropping, tampering, or message forgery.

    +
    +
    +
    +
    + +

    + Specifications +

    +

    + DTLS 1.2 +

    +

    Datagram Transport Layer Security Version 1.2

    +

    + The DTLS 1.2 protocol is + based on the Transport Layer Security (TLS) version 1.2 protocol and provides + equivalent security guarantees. +

    +

    + It has been published as RFC 6347 in January 2012. +

    +

    + View details » +

    +

    DTLS 1.3

    +

    + Datagram Transport Layer Security Version 1.3 +

    +

    + The DTLS 1.3 protocol is intentionally based on the Transport Layer + Security (TLS) 1.3 protocol and provides equivalent security + guarantees with the exception of order protection/non-replayability. + Datagram semantics of the underlying transport are preserved by the + DTLS protocol. +

    +

    + The document is a work-in-progress in the IETF TLS working group. +

    +

    + View details » +

    +

    DTLS profile of ACE

    +

    + DLS profile of the Authentication and Authorization for Constrained Environments Framework +

    +

    + This specification defines a profile of the ACE framework that allows + constrained servers to delegate client authentication and + authorization. The protocol relies on DTLS version 1.2 for + communication security between entities in a constrained network + using either raw public keys or pre-shared keys. +

    +

    + View details » +

    +
    +
    +

    + Implementations +

    +

    tinydtls

    +

    To enable CoAP's security on a tiny device, a tiny implementation of DTLS + for + Class 1 + devices

    +

    View details »

    +

    MbedTLS

    +

    + Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. +

    +

    View details »

    +
    +
    +

    + Tools +

    +
    +
    diff --git a/sec/OSCORE.html b/sec/OSCORE.html new file mode 100644 index 0000000..20f86c5 --- /dev/null +++ b/sec/OSCORE.html @@ -0,0 +1,161 @@ +--- +layout: default +title: OSCORE +subbar: true +--- +
    +

    Object Security for Constrained RESTful Environments

    +

    + OSCORE provides end-to-end protection + between endpoints communicating using CoAP or CoAP-mappable HTTP. + OSCORE is designed for constrained nodes and networks supporting a + range of proxy operations, including translation between different + transport protocols. +

    +
    +
    +
    +
    + +

    + Specifications +

    +

    + OSCORE +

    +

    + A method for application-layer protection of + CoAP, using CBOR Object + Signing and Encryption (COSE). +

    +

    + OSCORE has been published as RFC 8613 in July 2019. +

    +

    + View details » +

    +

    Group OSCORE

    +

    + Secure Group Communication for CoAP +

    +

    + Employing the basic multicast functionality defined in RFC 7252, + RFC 7390 + provides end-to-end security of CoAP + messages exchanged between members of a group, e.g. using IP + multicast. In particular, it provides source + authentication for CoAP group requests, sent by a client to multiple + servers, and the corresponding CoAP responses. +

    +

    + The document is a work-in-progress in the IETF CoRE working group. +

    +

    + View details » +

    +

    OSCORE profile of ACE

    +

    + OSCORE profile of the Authentication and Authorization for Constrained Environments Framework +

    +

    + It utilizes Object Security for Constrained RESTful Environments + (OSCORE) to provide communication security, server authentication, + and proof-of-possession for a key owned by the client and bound to an + OAuth 2.0 access token. +

    +

    + The document is a work-in-progress in the IETF ACE working group. +

    +

    + View details » +

    + +
    +
    +

    + Implementations +

    +

    Constrained

    +

    libOSCORE

    +

    + A portable C implementation of OSCORE usable for embedded devices. Usable on various platforms, especially embedded ones, + it describes its requirements towards the used platform's CoAP implementation + with a small generic API that can then be implemented by different CoAP libraries, + for example RIOT-OS's gcoap. +

    +

    View details »

    + +

    Contiki-NG OSCORE

    +

    A C implementation of OSCORE usable with Contiki-NG.

    +

    View details »

    + +

    OSCORE for OpenWSN

    +

    + OpenWSN supports OSCORE. +

    +

    View details »

    + +

    OSCORE for libcoap

    +

    libcoap C implementation supports OSCORE.

    +

    View details »

    + +

    c_OSCORE

    +

    + Partial OSCORE (draft version 14) Proof of Concept Server implementation on top of Zephyr OS + for the 96Boards Nitrogen. + The ipsp and coap_server samples of zephyr are combined to set up CoAP over 6lowpan over Bluetooth. +

    +

    View details »

    + +

    Rust OSCORE

    +

    + An experimental OSCORE implementation using Rust. A demo of this implementation can be found here. +

    +

    View details »

    + +

    Non-constrained

    +

    Californium OSCORE

    +

    OSCORE submodule within Californium, it runs on the CoAP Californium library. +

    +

    View details »

    +
    + +

    OSCORE for aiocoap

    +

    aiocoap supports full OSCORE support client-side; protected servers can be implemented based on it but are not automatic yet.

    +

    View details »

    + +

    OSCORE for CoAP.NET

    +

    CoAP.NET implementation in C# providing CoAP-based services to .NET applications supports OSCORE

    +

    View details »

    + +
    +

    + Tools +

    + +

    Wireshark dissector

    +

    + A protocol dissector for OSCORE is part of + Wireshark. + The final OSCORE dissector, updated to reflect the RFC, is supported by Wireshark 3.2.3, the + stable version + of Wireshark. +

    + +

    Interoperability testing

    +

    + A number of interoperability tests have been defined and run for OSCORE, and are work in progress for OSCORE group communication. +

    +

    + EricssonResearch.github.io/OSCOAP + contains test specifications and interop reports for OSCORE. + The recorded pcap for some of these sessions can be found here +

    + +

    + EricssonResearch.github.io/Multicast-OSCOAP + contains test specifications for OSCORE group communication. +

    + +
    +
    diff --git a/sec/sec.html b/sec/sec.html new file mode 100644 index 0000000..b72ea11 --- /dev/null +++ b/sec/sec.html @@ -0,0 +1,83 @@ +--- +layout: default +title: SecOverview +subbar: true +--- +
    +

    CoAP Security

    +

    + The Internet of Things cannot spread as long as it can be exploited by hackers willy-nilly. + CoAP does not just pay lip service to security, it actually provides strong security. + The IETF is working on several security mechanisms. +

    +
    +
    +
    +
    +

    + Transport Layer Security (DTLS) +

    +

    + The DTLS protocol provides communications + privacy for datagram protocols. The protocol allows client/server + applications to communicate in a way that is designed to prevent + eavesdropping, tampering, or message forgery. The DTLS protocol is + based on the Transport Layer Security (TLS) protocol. +

    +

    + The IETF ACE working group is developing a standard that allows + constrained servers to delegate client authentication and + authorization, and set up a DTLS 1.2 channel between the entities. + DTLS profile of Ace +

    +
    +
    +

    + Application Layer Security (OSCORE) +

    +

    + OSCORE provides end-to-end protection + between endpoints communicating using CoAP or CoAP-mappable HTTP. + OSCORE is designed for constrained nodes and networks supporting a + range of proxy operations, including translation between different + transport protocols. +

    +

    + OSCORE is extended with a mechanism to protect group communication using CoAP, called Group OSCORE. +

    +

    + The IETF ACE working group is developing a standard that allows + constrained servers to delegate client authentication and + authorization, and set up OSCORE between the entities. + OSCORE profile of Ace +

    +
    +
    +

    Other security extensions

    +

    + Several other specifications work together to support security in CoAP. Enhancements to CoAP that mitigate security issues in particular use + cases are been developed. +

    +

    Echo

    +

    + The Echo option enables a CoAP server to verify the freshness + of a request or to force a client to demonstrate reachability at its + claimed network address; it is now the recommeded way to mitigate + amplification attacks. +

    +

    Request-Tag

    +

    + The Request-Tag option allows the CoAP server + to match block-wise message fragments belonging to the same request. +

    +

    Token Processing

    +

    + The update to the client Token processing requirements of CoAP + forbids non-secure reuse of Tokens to ensure binding of responses to + requests when CoAP is used with security. +

    +

    + View details » +

    +
    +
    From bf0be56ba6acf3998feff8ecd8b6ab7985c89503 Mon Sep 17 00:00:00 2001 From: fpalombini Date: Thu, 11 Jun 2020 11:10:09 +0200 Subject: [PATCH 2/2] typo --- sec/DTLS.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sec/DTLS.html b/sec/DTLS.html index 83d82f6..5ad6df7 100644 --- a/sec/DTLS.html +++ b/sec/DTLS.html @@ -52,7 +52,7 @@

    DTLS 1.3

    DTLS profile of ACE

    - DLS profile of the Authentication and Authorization for Constrained Environments Framework + DTLS profile of the Authentication and Authorization for Constrained Environments Framework

    This specification defines a profile of the ACE framework that allows