coap-technology · fpalombini · May 19, 2020 · Jun 11, 2020
diff --git a/_layouts/default.html b/_layouts/default.html
@@ -41,9 +41,51 @@
                 <li>
                   <a href='/tools.html'>Tools</a>
                 </li>
+{% if page.subbar %}
+                <li class="active">
+                  <a href='/sec/sec.html'>
+                    <span class='unabbr'>Security</span>
+                    <span class='abbr'>Sec</span>
+                  </a>
+                </li>
               </ul>
             </div>
           </div>
+            <div class='navbar-inner'>
+              <div class='container'>
+                <ul class='nav'>
+                  <li>
+                    <a href='/sec/sec.html'> Security Overview
+                      <span class='unabbr' hidden >SecOverview</span>
+                      <span class='abbr'>SecOver</span>
+                    </a>
+                  </li>
+                  <li>
+                    <a href='/sec/dtls.html'>
+                      <span class='unabbr' >DTLS</span>
+                      <span class='abbr' >DTLS</span>
+                    </a>
+                  </li>
+                  <li>
+                    <a href='/sec/oscore.html'>
+                      <span class='unabbr' >OSCORE</span>
+                      <span class='abbr'>OSC</span>
+                    </a>
+                  </li>
+                </ul>
+              </div>
+            </div>
+{% else %}
+            <li>
+              <a href='/sec/sec.html'>Security
+                <span class='unabbr' hidden >Security</span>
+                <span class='abbr'>Sec</span>
+              </a>
+            </li>
+            </ul>
+            </div>
+            </div>
+{% endif %}
         </div>
       </div>
 {{ content }}

diff --git a/sec/DTLS.html b/sec/DTLS.html
@@ -0,0 +1,89 @@
+---
+layout: default
+title: DTLS
+subbar: true
+---
+<div class='jumbotron'>
+  <h2>Datagram Transport Layer Security</h2>
+  <p class='lead'>
+    The DTLS protocol provides communications
+    privacy for datagram protocols. The protocol allows client/server
+    applications to communicate in a way that is designed to prevent
+    eavesdropping, tampering, or message forgery.</p>
+</div>
+<hr>
+<div class='row-fluid'>
+  <div class='span4'>
+
+    <h2>
+      Specifications
+    </h2>
+    <h3>
+      DTLS 1.2
+    </h3>
+    <p>Datagram Transport Layer Security Version 1.2</p>
+    <p>
+      The DTLS 1.2 protocol is
+      based on the Transport Layer Security (TLS) version 1.2 protocol and provides
+      equivalent security guarantees.
+    </p>
+    <p>
+      It has been published as RFC 6347 in January 2012.
+    </p>
+    <p>
+      <a class='btn' href='http://tools.ietf.org/html/rfc6347'>View details &raquo;</a>
+    </p>
+    <h3>DTLS 1.3</h3>
+    <p>
+      Datagram Transport Layer Security Version 1.3
+    </p>
+    <p>
+      The DTLS 1.3 protocol is intentionally based on the Transport Layer
+      Security (TLS) 1.3 protocol and provides equivalent security
+      guarantees with the exception of order protection/non-replayability.
+      Datagram semantics of the underlying transport are preserved by the
+      DTLS protocol.
+    </p>
+    <p>
+      The document is a work-in-progress in the IETF TLS working group.
+    </p>
+    <p>
+      <a class='btn' href='https://tools.ietf.org/html/draft-ietf-tls-dtls13'>View details &raquo;</a>
+    </p>
+    <h3 id="ace-dtls-profile" >DTLS profile of ACE</h3>
+    <p>
+      DTLS profile of the Authentication and Authorization for Constrained Environments Framework
+    </p>
+    <p>
+      This specification defines a profile of the ACE framework that allows
+   constrained servers to delegate client authentication and
+   authorization.  The protocol relies on DTLS version 1.2 for
+   communication security between entities in a constrained network
+   using either raw public keys or pre-shared keys.
+    </p>
+    <p>
+      <a class='btn' href='https://tools.ietf.org/html/draft-ietf-ace-dtls-authorize'>View details &raquo;</a>
+    </p>
+  </div>
+  <div class='span4'>
+    <h2>
+      Implementations
+    </h2>
+    <h3>tinydtls</h3>
+    <p>To enable CoAP's security on a tiny device, a tiny implementation of DTLS
+      for
+      <a href="http://tools.ietf.org/html/rfc7228">Class 1</a>
+      devices</p>
+    <p><a class="btn" href="http://tinydtls.sourceforge.net/">View details »</a></p>
+    <h3>MbedTLS</h3>
+    <p>
+      Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols.
+    </p>
+    <p><a class="btn" href="https://github.com/ARMmbed/mbedtls">View details »</a></p>
+  </div>
+  <div class='span4'>
+    <h2>
+      Tools
+    </h2>
+  </div>
+</div>
diff --git a/sec/OSCORE.html b/sec/OSCORE.html
@@ -0,0 +1,161 @@
+---
+layout: default
+title: OSCORE
+subbar: true
+---
+<div class='jumbotron'>
+  <h2>Object Security for Constrained RESTful Environments</h2>
+  <p class='lead'>
+    OSCORE provides end-to-end protection
+    between endpoints communicating using CoAP or CoAP-mappable HTTP.
+    OSCORE is designed for constrained nodes and networks supporting a
+    range of proxy operations, including translation between different
+    transport protocols.
+  </p>
+</div>
+<hr>
+<div class='row-fluid'>
+  <div class='span4'>
+
+    <h2>
+      Specifications
+    </h2>
+    <h3>
+      OSCORE
+    </h3>
+    <p>
+      A method for application-layer protection of
+      CoAP, using <a href=http://tools.ietf.org/html/rfc8152>CBOR Object
+        Signing and Encryption (COSE)</a>.
+    </p>
+    <p>
+      OSCORE has been published as <a href=http://tools.ietf.org/html/rfc8613>RFC 8613</a> in July 2019.
+    </p>
+    <p>
+      <a class='btn' href='http://tools.ietf.org/html/rfc8613'>View details &raquo;</a>
+    </p>
+    <h3 id="group-oscore" >Group OSCORE</h3>
+    <p>
+      Secure Group Communication for CoAP
+    </p>
+    <p>
+      Employing the basic multicast functionality defined in RFC 7252,
+      <a href='http://tools.ietf.org/html/rfc7390'>RFC 7390</a>
+      provides end-to-end security of CoAP
+      messages exchanged between members of a group, e.g. using IP
+      multicast. In particular, it provides source
+      authentication for CoAP group requests, sent by a client to multiple
+      servers, and the corresponding CoAP responses.
+    </p>
+    <p>
+      The document is a work-in-progress in the IETF CoRE working group.
+    </p>
+    <p>
+      <a class='btn' href='https://tools.ietf.org/html/draft-ietf-core-oscore-groupcomm'>View details &raquo;</a>
+    </p>
+    <h3 id="ace-oscore-profile" >OSCORE profile of ACE</h3>
+    <p>
+      OSCORE profile of the Authentication and Authorization for Constrained Environments Framework
+    </p>
+    <p>
+      It utilizes Object Security for Constrained RESTful Environments
+      (OSCORE) to provide communication security, server authentication,
+      and proof-of-possession for a key owned by the client and bound to an
+      OAuth 2.0 access token.
+    </p>
+    <p>
+      The document is a work-in-progress in the IETF ACE working group.
+    </p>
+    <p>
+      <a class='btn' href='https://tools.ietf.org/html/draft-ietf-ace-oscore-profile'>View details &raquo;</a>
+    </p>
+
+  </div>
+  <div class='span4'>
+    <h2>
+      Implementations
+    </h2>
+    <h3>Constrained</h3>
+    <h4>libOSCORE</h4>
+    <p>
+      A portable C implementation of OSCORE usable for embedded devices. Usable on various platforms, especially embedded ones,
+      it describes its requirements towards the used platform's CoAP implementation
+      with a small generic API that can then be implemented by different CoAP libraries,
+      for example <a href="https://riot-os.org/">RIOT-OS</a>'s gcoap.
+    </p>
+    <p><a class="btn" href="https://gitlab.com/oscore/liboscore">View details »</a></p>
+
+    <h4>Contiki-NG OSCORE</h4>
+    <p>A C implementation of OSCORE usable with <a href="https://www.contiki-ng.org/">Contiki-NG</a>.</p>
+    <p><a class="btn" href="https://github.com/Gunzter/contiki-ng/tree/master">View details »</a></p>
+
+    <h4>OSCORE for OpenWSN</h4>
+    <p>
+      <a href="http://www.openwsn.org/">OpenWSN</a> supports OSCORE.
+    </p>
+    <p><a class="btn" href="https://github.com/openwsn-berkeley/openwsn-fw">View details »</a></p>
+
+    <h4>OSCORE for libcoap</h4>
+    <p><a href="https://libcoap.net/">libcoap</a> C implementation supports OSCORE.</p>
+    <p><a class="btn" href="https://gitlab.informatik.uni-bremen.de/obergman/libcoap/-/tree/oscore">View details »</a></p>
+
+    <h4>c_OSCORE</h4>
+    <p>
+      Partial OSCORE (draft version 14) Proof of Concept Server implementation on top of <a href="https://www.zephyrproject.org/">Zephyr OS</a>
+      for the <a href="https://www.96boards.org/product/nitrogen/">96Boards Nitrogen</a>.
+      The ipsp and coap_server samples of zephyr are combined to set up CoAP over 6lowpan over Bluetooth.
+    </p>
+    <p><a class="btn" href="https://github.com/Fraunhofer-AISEC/c_OSCORE">View details »</a></p>
+
+    <h4>Rust OSCORE</h4>
+    <p>
+      An experimental OSCORE implementation using Rust. A demo of this implementation can be found <a href="https://github.com/martindisch/oscore-demo">here</a>.
+    </p>
+    <p><a class="btn" href="https://github.com/martindisch/oscore">View details »</a></p>
+
+    <h3>Non-constrained</h3>
+    <h4>Californium OSCORE</h4>
+    <p><a href="https://projects.eclipse.org/projects/iot.californium">OSCORE submodule within Californium</a>, it runs on the CoAP Californium library.
+    </p>
+    <p><a class="btn" href="https://github.com/eclipse/californium/tree/master/cf-oscore">View details »</a></p>
+  </div>
+
+  <h4>OSCORE for aiocoap</h4>
+  <p>aiocoap supports full OSCORE support client-side; protected servers can be implemented based on it but are not automatic yet.</p>
+  <p><a class="btn" href="https://github.com/chrysn/aiocoap">View details »</a></p>
+
+  <h4>OSCORE for CoAP.NET</h4>
+  <p>CoAP.NET implementation in C# providing CoAP-based services to .NET applications supports OSCORE</p>
+  <p><a class="btn" href="https://github.com/Com-AugustCellars/CoAP-CSharp">View details »</a></p>
+
+  <div class='span4'>
+    <h2>
+      Tools
+    </h2>
+
+    <h3>Wireshark dissector</h3>
+    <p>
+      A protocol dissector for OSCORE is part of
+      <a href='http://www.wireshark.org'>Wireshark</a>.
+      The final OSCORE dissector, updated to reflect the RFC, is supported by Wireshark 3.2.3, the
+      <a href='http://www.wireshark.org/download.html'>stable version</a>
+      of Wireshark.
+    </p>
+
+    <h3>Interoperability testing</h3>
+    <p>
+      A number of interoperability tests have been defined and run for OSCORE, and are work in progress for OSCORE group communication.
+    </p>
+    <p>
+      <a href='https://ericssonresearch.github.io/OSCOAP/'>EricssonResearch.github.io/OSCOAP</a>
+      contains test specifications and interop reports for OSCORE.
+      The recorded pcap for some of these sessions can be found <a href='https://github.com/EricssonResearch/OSCOAP'>here</a>
+    </p>
+
+    <p>
+      <a href='https://ericssonresearch.github.io/Multicast-OSCOAP/'>EricssonResearch.github.io/Multicast-OSCOAP</a>
+      contains test specifications for OSCORE group communication.
+    </p>
+
+  </div>
+</div>
diff --git a/sec/sec.html b/sec/sec.html
@@ -0,0 +1,83 @@
+---
+layout: default
+title: SecOverview
+subbar: true
+---
+<div class='jumbotron'>
+  <h2>CoAP Security</h2>
+  <p class='lead'>
+    The Internet of Things cannot spread as long as it can be exploited by hackers willy-nilly.
+    CoAP does not just pay lip service to security, it actually provides strong security.
+    The IETF is working on several security mechanisms.
+  </p>
+</div>
+<hr>
+<div class='row-fluid'>
+  <div class='span4'>
+    <h2>
+      <a href='/sec/dtls.html'>Transport Layer Security (DTLS)</a>
+    </h2>
+    <p>
+      The DTLS protocol provides communications
+      privacy for datagram protocols. The protocol allows client/server
+      applications to communicate in a way that is designed to prevent
+      eavesdropping, tampering, or message forgery. The DTLS protocol is
+      based on the <a href="https://tools.ietf.org/html/rfc5246">Transport Layer Security (TLS)</a> protocol.
+    </p>
+    <p>
+      The IETF ACE working group is developing a standard that allows
+   constrained servers to delegate client authentication and
+   authorization, and set up a DTLS 1.2 channel between the entities.
+      <a href="/sec/DTLS.html#ace-dtls-profile">DTLS profile of Ace</a>
+    </p>
+  </div>
+  <div class='span4'>
+    <h2>
+      <a href='/sec/OSCORE.html'>Application Layer Security (OSCORE)</a>
+    </h2>
+    <p>
+      OSCORE provides end-to-end protection
+      between endpoints communicating using CoAP or CoAP-mappable HTTP.
+      OSCORE is designed for constrained nodes and networks supporting a
+      range of proxy operations, including translation between different
+      transport protocols.
+    </p>
+    <p>
+      OSCORE is extended with a mechanism to protect group communication using CoAP, called <a href='/sec/OSCORE.html#group-oscore'>Group OSCORE</a>.
+    </p>
+    <p>
+      The IETF ACE working group is developing a standard that allows
+   constrained servers to delegate client authentication and
+   authorization, and set up OSCORE between the entities.
+      <a href="/sec/OSCORE.html#ace-oscore-profile">OSCORE profile of Ace</a>
+    </p>
+  </div>
+  <div class='span4'>
+    <h2>Other security extensions</h2>
+    <p>
+      Several other specifications work together to support security in CoAP. Enhancements to CoAP that mitigate security issues in particular use
+      cases are been developed.
+    </p>
+    <h3>Echo</h3>
+    <p>
+      The Echo option enables a CoAP server to verify the freshness
+      of a request or to force a client to demonstrate reachability at its
+      claimed network address; it is now the recommeded way to mitigate
+      amplification attacks.
+    </p>
+    <h3>Request-Tag</h3>
+    <p>
+      The Request-Tag option allows the CoAP server
+      to match <a href='https://tools.ietf.org/html/rfc7959'>block-wise message</a> fragments belonging to the same request.
+    </p>
+    <h3>Token Processing</h3>
+    <p>
+      The update to the client Token processing requirements of CoAP
+      forbids non-secure reuse of Tokens to ensure binding of responses to
+      requests when CoAP is used with security.
+    </p>
+    <p>
+      <a class='btn' href='https://tools.ietf.org/html/draft-ietf-core-echo-request-tag-09'>View details &raquo;</a>
+    </p>
+  </div>
+</div>