Internet-Draft | ACE Pub-sub Profile | September 2023 |
Palombini, et al. | Expires 16 March 2024 | [Page] |
This document defines an application profile of the Authentication and Authorization for Constrained Environments (ACE) framework, to enable secure group communication in the Publish-Subscribe (pub/sub) architecture for the Constrained Application Protocol (CoAP) [draft-ietf-core-coap-pubsub], where Publishers and Subscribers communicate through a Broker. This profile relies on protocol-specific transport profiles of ACE to achieve communication security, server authentication, and proof-of-possession for a key owned by the Client and bound to an OAuth 2.0 Access Token. This document specifies the provisioning and enforcement of authorization information for Clients to act as Publishers and/or Subscribers, as well as the provisioning of keying material and security parameters that Clients use for protecting their communications end-to-end through the Broker.¶
Note to RFC Editor: Please replace "[draft-ietf-core-coap-pubsub]" with the RFC number of that document and delete this paragraph.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Authentication and Authorization for Constrained Environments Working Group mailing list ([email protected]), which is archived at https://mailarchive.ietf.org/arch/browse/ace/.¶
Source for this draft and an issue tracker can be found at https://github.com/ace-wg/pubsub-profile.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 March 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In a publish-subscribe (pub/sub) scenario, devices with limited reachability communicate via a Broker, which enables store-and-forward messaging between these devices. This effectively enables a form of group communication, where all the Publishers and Subscribers participating in the same pub/sub topic are considered members of the same group associated with that topic.¶
With a focus on the pub/sub architecture defined in [I-D.ietf-core-coap-pubsub] for the Constrained Application Protocol (CoAP) [RFC7252], this document defines an application profile of the Authentication and Authorization for Constrained Environments (ACE) framework [RFC9200], which enables pub/sub communication where a group of Publishers and Subscribers securely communicate through a Broker using CoAP.¶
Building on the message formats and processing defined in [I-D.ietf-ace-key-groupcomm], this document specifies the provisioning and enforcement of authorization information for Clients to act as Publishers and/or Subscribers at the Broker, as well as the provisioning of keying material and security parameters that Clients use for protecting end-to-end their communications via the Broker.¶
In order to protect the pub/sub operations at the Broker as well as the provisioning of keying material and security parameters, this profile relies on protocol-specific transport profiles of ACE (e.g., [RFC9202], [RFC9203], or [I-D.ietf-ace-edhoc-oscore-profile]) to achieve communication security, server authentication, and proof-of-possession for a key owned by the Client and bound to an OAuth 2.0 Access Token.¶
Furthermore, the content of published messages that are circulated by the Broker is protected end-to-end between the corresponding Publisher and the intended Subscribers. To this end, this profile relies on COSE [RFC9052][RFC9053] and on keying material provided to the Publishers and Subscribers participating in the same pub/sub topic. In particular, source authentication of published content is achieved by means of the corresponding Publisher signing such content with its own private key.¶
While this profile focuses on the pub/sub architecture for CoAP, this document also describes how it can be applicable to MQTT [MQTT-OASIS-Standard-v5]. Similar adaptations can also extend to further transport protocols and pub/sub architectures.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are expected to be familiar with:¶
A principal interested to participate in group communication as well as already participating as a group member is interchangeably denoted as "Client", "pub/sub client", or "node".¶
This document describes how to use [RFC9200] and [I-D.ietf-ace-key-groupcomm] to perform authentication, authorization, and key distribution operations as overviewed in Section 2 of [I-D.ietf-ace-key-groupcomm], where the considered group is the security group including the pub/sub Clients that exchange end-to-end protected content through the Broker.¶
Pub/sub Clients communicate within their application groups, each of which is mapped to a pub/sub topic. Depending on the application, a pub/sub topic may consist of one or more sub-topics, which may have their own sub-topics and so on, thus forming a hierarchy. A security group SHOULD be associated with a single application group. However, the same application group MAY be associated with multiple security groups. Further details and considerations on the mapping between the two types of groups are out of the scope of this document.¶
This profile considers the architecture shown in Figure 1. A Client can act as a Publisher, or a Subscriber, or both, e.g., by publishing to some topics and subscribing to others. However, for the simplicity of presentation, this profile describes Publisher and Subscriber Clients separately.¶
Both Publishers and Subscribers Clients act as ACE Clients. The Broker acts as an ACE RS, and corresponds to the Dispatcher in [I-D.ietf-ace-key-groupcomm]. The Key Distribution Center (KDC) also acts as an ACE RS, and builds on what is defined for the KDC in [I-D.ietf-ace-key-groupcomm]. From a high-level point of view, the Clients interact with the KDC in order to join security groups, upon which they obtain the group keying material to use for protecting and verifying the content published in the corresponding pub/sub topics and protected end-to-end.¶
Both Publisher and Subscriber Clients MUST use the same pub/sub communication protocol for their interaction with the Broker. When using the profile defined in this document, such a protocol MUST be CoAP, which is used as described in [I-D.ietf-core-coap-pubsub]. What is specified in this document can apply to other pub/sub protocols such as MQTT [MQTT-OASIS-Standard-v5], or to further transport protocols.¶
All Publisher and Subscriber Clients MUST use CoAP when communicating with the KDC.¶
Furthermore, both Publisher and Subscriber Clients MUST use the same transport profile of ACE (e.g., [RFC9202] for DTLS; or [RFC9203] or [I-D.ietf-ace-edhoc-oscore-profile] for OSCORE) in their interaction with the Broker. In order to reduce the number of libraries that Clients have to support, it is RECOMMENDED that the same transport profile of ACE is used also for the interaction between the Clients and the KDC.¶
All communications between the involved entities MUST be secured.¶
The Client and the Broker MUST have a secure association, which they establish with the help of the AS and using a transport profile of ACE. This is shown by the interactions A and C in Figure 1. During this process, the Client obtains an Access Token from the AS and uploads it to the Broker, thus providing an evidence of the pub-sub topics that it is authorized to participate in, and with which permissions.¶
The Client and the KDC MUST have a secure association, which they also establish with the help of the AS and using a transport profile of ACE. This is shown by the interactions A and B in Figure 1. During this process, the Client obtains an Access Token from the AS and uploads it to the KDC, thus providing an evidence of the security groups that it can join, as corresponding to the pub/sub topics of interest at the Broker. Based on the permissions specified in the Access Token, the Client can request the KDC to join a security group, after which the Client obtains from the KDC the keying material to use for communicating with the other group members. This builds on the process for joining security groups with ACE defined in [I-D.ietf-ace-key-groupcomm] and further specified in this document.¶
In addition, this profile allows an anonymous Client to perform some of the discovery operations defined in Section 2.3 of [I-D.ietf-core-coap-pubsub] through the Broker, as shows by the interaction O in Figure 1. That is, an anonymous Client can discover:¶
However, an anonymous Client is not allowed to access topic resources at the Broker and obtain from those any additional information or metadata about the corresponding topic (e.g., the topic status, the URI of the topic-data resource where to publish or subscribe for that topic, or the URI to the KDC).¶
As highlighted in Figure 2, each Client maintains two different security associations pertaining to the pub/sub group communication. On the one hand, the Client has a pairwise security association with the Broker, which, as the ACE RS, verifies that the Client is authorized to publish and/or subscribe on a certain set of topics (Security Association 1). As discussed above, this security association is set up with the help of the AS and using a transport profile of ACE, when the Client obtains the Access Token to upload to the Broker.¶
On the other hand, separately for each topic, all the Publisher and Subscribers for that topic have a common, group security association, through which the published content sent through the Broker is protected end-to-end (Security Association 2). As discussed above, this security association is set up and maintained as the different Clients request the KDC to join the security group, upon which they obtain from the KDC the corresponding group keying material to use for protecting end-to-end and verifying the content of their pub/sub group communication.¶
In summary, this profile specifies the following functionalities.¶
Appendix A lists the specifications on this application profile of ACE, based on the requirements defined in Appendix A of [I-D.ietf-ace-key-groupcomm].¶
The Pub/Sub clients uses the following KDC resources to enable group communication:¶
KDC resource | Description | Operations |
---|---|---|
/ace-group | Required. Contains a set of group names, each corresponding to one of the specified group identifiers | FETCH (All Clients) |
/ace-group/GROUPNAME | Required. Contains symmetric group keying material associated with GROUPNAME | GET, POST (All) |
/ace-group/GROUPNAME/creds | Required. Contains the authentication credentials of all the Publisher members of the group with name GROUPNAME | GET, FETCH (All) |
/ace-group/GROUPNAME/num | Required. Contains the current version number for the symmetric group keying material of the group with name GROUPNAME | GET (All) |
/ace-group/GROUPNAME/nodes/NODENAME | Required. Contains the group keying material for that group member NODENAME in GROUPNAME. | GET, DELETE (All). PUT (Pub). |
/ace-group/GROUPNAME/nodes/NODENAME/cred | Required. Authentication credential for NODENAME in the group GROUPNAME | POST (Pub) |
/ace-group/GROUPNAME/kdc-cred | MUST be hosted if a group re-keying mechanism is used. Contains the authentication credential of the KDC for the group with name GROUPNAME. | GET (All) |
/ace-group/GROUPNAME/policies | Optional. Contains the group policies of the group with name GROUPNAME. | GET (All) |
Note that the use of these resources follows what is defined in [I-D.ietf-ace-key-groupcomm], and only additions or modifications to that specification are defined in this document.¶
This section describes the interactions between the joining node and the KDC to join a security group. Source authentication of a message sent within the group is ensured by means of a digital signature embedded in the message. Subscribers must be able to retrieve Publishers' authentication credentials from a trusted repository, to verify source authenticity of received messages. Hence, on joining a group, a Publisher node is expected to provide its own authentication credential to the KDC.¶
On a successful join, the Clients receive the symmetric COSE Key from the KDC to protect the payload of a published topic data.¶
The message exchange between the joining node and the KDC follows what is defined in Section 4.3.1.1 of [I-D.ietf-ace-key-groupcomm] and only additions or modifications to that specification are defined in this document.¶
After establishing a secure communication, the Client sends a Join Request to the KDC as described in Section 4.3 of [I-D.ietf-ace-key-groupcomm]. More specifically, the Client sends a POST request to the /ace-group/GROUPNAME endpoint, with Content-Format "application/ace-groupcomm+cbor". The payload MUST contain the following information formatted as a CBOR map, which MUST be encoded as defined in Section 4.3.1 of [I-D.ietf-ace-key-groupcomm]:¶
As a Publisher Client has its own authentication credential to use in a group, it MUST support client_cred', 'cnonce', 'client_cred_verify' parameters.¶
One of the following cases can occur when a new node attempts to join a group.¶
The joining node is a Publisher Client, and¶
Finally, the joining node MUST provide its own authentication credential again if it has provided the KDC with multiple authentication credentials during past joining processes intended for different groups. If the joining node provides its own authentication credential, the KDC performs consistency checks as per Section 4.1.1 and, in case of success, considers it as the authentication credential associated with the joining node in the group.¶
The 'client_cred_verify' parameter contains the proof-of-possession evidence, and is computed as defined below (REQ14).¶
The Publisher signs the scope, concatenated with N_S and concatenated with N_C using the private key corresponding to the public key in the 'client_cred' parameter.¶
The N_S may be either:¶
On receiving the Join Request, the KDC processes the request as defined in Section 4.3.1 of [I-D.ietf-ace-key-groupcomm], and may return a success or error response.¶
If the 'client_cred' field is present, the KDC verifies the signature in the 'client_cred_verify'. As PoP input, the KDC uses the value of the 'scope' parameter from the Join Request as a CBOR byte string, concatenated with N_S encoded as a CBOR byte string, concatenated with N_C encoded as a CBOR byte string. As public key of the joining node, the KDC uses either the one included in the authentication credential retrieved from the 'client_cred' parameter of the Join Request or the already stored authentication credential from previous interactions with the joining node. The KDC verifies the PoP evidence, which is a signature, by using the public key of the joining node, as well as the signature algorithm used in the group and possible corresponding parameters.¶
For a Publisher Client, the KDC assigns an available Sender ID that has not been used in the group. The KDC MUST NOT assign a Sender ID to the joining node if the node isn't a Publisher Client. The Sender ID MUST be unique within the group. Similar to [RFC8613], the Sender ID can be short: the maximum length of Sender ID in bytes equals the length of the AEAD nonce minus 6; for AES-CCM-16-64-128 the maximum length of Sender ID is 7 bytes.¶
In the case of any join request error, the KDC and the Client attempting to join follow the procedure defined in Section 4.1.3.¶
In the case of success, the Client is added to the list of current members, if not already a member. The Client is assigned a NODENAME and a sub-resource /ace-group/GROUPNAME/nodes/NODENAME. NODENAME is associated to the access token and secure session of the Client. Publishers' client credentials are also associated with the tuple containing NODENAME, GROUPNAME, a newly assigne sender ID and the access token. Note that, as long as the secure association between the client and the KDC persists, then the same client re-joining the group is recognized by the KDC by virtue of their secure association. As a consequence, the re-joining client keeps the same NODENAME and related subresource /ace-group/GROUPNAME/nodes/NODENAME, while receiving a new Sender ID according to the same criteria above.¶
The KDC responds with a Join Response with response code 2.01 (Created) if the Client has been added to the list of group members, and 2.04 (Changed) otherwise (e.g., if the Client is re-joining). The Content-Format is "application/ace-groupcomm+cbor". The payload (formatted as a CBOR map) MUST contain the following fields from the Join Response and encode them as defined in Section 4.3.1 of [I-D.ietf-ace-key-groupcomm]:¶
'key': The keying material for group communication includes:¶
'sign_params' parameter, specifying the parameters of the Signature Algorithm. This parameter is a CBOR array, which includes the following two elements: 'sign_alg_capab' and 'sign_key_type_capab'.¶
A Publisher Client MUST support 'group_SenderId' parameter (REQ29).¶
If the application requires backward security, the KDC MUST generate updated security parameters and group keying material, and provide it to the current group members, upon the new node's joining (see Section 4.2.4). In such a case, the joining node is not able to access secure communication in the pubsub group prior its joining.¶
Upon receiving the Join Response, the joining node retrieves the KDC's authentication credential from the 'kdc_cred' parameter. The joining node MUST verify the proof-of-possession (PoP) evidence, which is a signature, specified in the 'kdc_cred_verify' parameter of the Join Response (REQ21).¶
The KDC MUST reply with a 4.00 (Bad Request) error response to the Join Request in the following cases:¶
The 'client_cred' parameter is not present while the joining node is not going to join the group exclusively as a Subscriber, and any of the following conditions holds:¶
A 4.00 (Bad Request) error response from the KDC to the joining node MAY have content format application/ace-groupcomm+cbor and contain a CBOR map as payload. The CBOR map MAY include the 'kdcchallenge' parameter. If present, this parameter is a CBOR byte string, which encodes a newly generated 'kdcchallenge' value that the Client can use when preparing a new Join Request. In such a case the KDC MUST store the newly generated value as the 'kdcchallenge' value associated with the joining node, possibly replacing the currently stored value.¶
On receiving the Join Response, if 'kdc_cred' is present but the Client cannot verify the PoP evidence, the Client MUST stop processing the Join Response and MAY send a new Join Request to the KDC.¶
The Group Manager MUST return a 5.03 (Service Unavailable) response to a Publisher's join request in case there are currently no Sender IDs available.¶
A Publisher Client can contact the KDC to upload a new authentication credential to use in the group, and replace the currently stored one. To this end, it sends a CoAP POST request to the /ace-group/GROUPNAME/nodes/NODENAME/cred. The KDC replaces the stored authentication credential of this Client (identified by NODENAME) with the one specified in the request at the KDC, for the group identified by GROUPNAME.¶
A Client can actively request to leave the group. In this case, the Client sends a CoAP DELETE request to the endpoint /ace-group/GROUPNAME/nodes/NODENAME at the KDC, where GROUPNAME is the group name and NODENAME is its node name. KDC can also remove a group member due to any of the reasons described in Section 5 of [I-D.ietf-ace-key-groupcomm].¶
The KDC MUST trigger a group rekeying as described in Section 6 of [I-D.ietf-ace-key-groupcomm] due to a change in the group membership or the current group keying material approaching its expiration time. KDC MAY trigger regularly scheduled update of the group keying material.¶
Upon generating the new group keying material and before starting its distribution, the KDC MUST increment the version number of the group keying material. The KDC MUST preserve the current value of the Sender ID of each member in that group.¶
Default rekeying scheme is Point-to-point (Section 6.1 of [I-D.ietf-ace-key-groupcomm]), where KDC individually targets each node to rekey, using the pairwise secure communication association with that node.¶
If the group rekeying is performed due to one or multiple Publisher Clients that have joined the group, then a rekeying message includes sender IDs, and authentication credentials that the Publisher Clients use in the group. This information is specified by means of the parameters 'creds' and 'peer_identifiers', like done in the Join Response message (i.e., 'peer_roles' MAY be omitted).¶
(D) corresponds to the publication of a topic on the Broker, using a CoAP PUT. The publication (the resource representation) is protected with COSE ([RFC9052][RFC9053]) by the Publisher. The (E) message is the subscription of the Subscriber, and uses a CoAP GET with the Observe option set to 0 (zero) [I-D.ietf-core-coap-pubsub]. The (F) message is the response from the Broker, where the publication is protected with COSE by the Publisher. (ToDo: Add Delete to the flow?)¶
The Publisher uses the symmetric COSE Key received from the KDC to protect the payload of the Publish operation (Section 4.3 of [I-D.ietf-core-coap-pubsub]). Specifically, the COSE Key is used to create a COSE_Encrypt0 object with the AEAD algorithm specified by the KDC. The AEAD key lengths, AEAD nonce length, and maximum Sender Sequence Number (Partial IV) are algorithm dependent.¶
The Publisher uses the private key corresponding to the public key sent to the KDC to countersign the COSE Object as specified in [RFC9052] [RFC9053]. The payload is replaced by the COSE object before the publication is sent to the Broker.¶
The Subscriber uses the 'kid' in the 'countersignature' field in the COSE object to retrieve the right public key to verify the countersignature. It then uses the symmetric key received from KDC to verify and decrypt the publication received in the payload from the Broker (the publication is received through the Observe Notification or as the response to a GET request to the topic data resource).¶
The COSE object is constructed in the following way (as described in [RFC9052] [RFC9053]).¶
The protected Headers MUST contain:¶
The unprotected Headers MUST contain:¶
Countersignature version 2 header, version 2 counter signature on encrypted content as defined in [RFC9338][RFC9053], includes¶
The encryption and decryption operations are described in [RFC9052] [RFC9053]. The AEAD nonce is generated following the construction in Section 5.2 of [RFC8613] using the sender ID, Partial IV, and Base IV from the symmetric COSE Key received.¶
The steps MQTT clients go through would be similar to the CoAP clients, and the payload of the MQTT PUBLISH messages will be protected using COSE. The MQTT clients needs to use CoAP to communicate to the KDC, to join security groups, and be part of the pair-wise rekeying initiated by the KDC.¶
Authorisation Server (AS) Discovery is defined in Section 2.2.6.1 of [I-D.ietf-ace-mqtt-tls-profile] for MQTT v5 clients (and not supported for MQTT v3 clients). $SYS/ has been widely adopted as a prefix to topics that contain Server-specific information or control APIs, and may be used for topic and KDC discovery.¶
When the Client sends an authorisation request to the AS using the AIF-PUBSUB-GROUPCOMM data model, in the authorisation response, the 'profile' claim is set to "mqtt_pubsub_app" as defined in Section 8.2.¶
Both Publisher and Subscriber Clients MUST authorise to the Broker with their respective tokens (described in [I-D.ietf-ace-mqtt-tls-profile]) i.e., anonymous Subscribers are not supported in the profile. A Publisher Client sends PUBLISH messages for a given topic and protects the payload with the corresponding key for the associated security group. The Broker validates the PUBLISH message by verifying its topic in the stored token. A Subscriber Client may send SUBSCRIBE messages with one or multiple topic filters. A topic filter may correspond to multiple topics. The Broker validates the SUBSCRIBE message by checking the stored token for the Client. The Broker forwards all PUBLISH messages to all authorised Subscribers, including the retained messages.¶
All the security considerations in [I-D.ietf-ace-key-groupcomm] apply.¶
In the profile described above, the Publisher and Subscriber use asymmetric crypto, which would make the message exchange quite heavy for small constrained devices. Moreover, all Subscribers must be able to access the public keys of all the Publishers to a specific topic to verify the publications.¶
Even though Access Tokens have expiration times, an Access Token may need to be revoked before its expiration time (see [I-D.draft-ietf-ace-revoked-token-notification] for a list of possible circumstances). Clients can be excluded from future publications through re-keying for a certain topic. This could be set up to happen on a regular basis, for certain applications. How this could be done is out of scope for this work. The method described in [I-D.draft-ietf-ace-revoked-token-notification] MAY be used to allow an Authorization Server to notify the KDC about revoked Access Tokens.¶
The Broker is only trusted with verifying that the Publisher is authorized to publish, but is not trusted with the publications itself, which it cannot read nor modify.¶
With respect to the reusage of nonces for Proof-of-Possession input, the same considerations apply as in the [I-D.ietf-ace-key-groupcomm-oscore].¶
TODO: expand on security and privacy considerations¶
Note to RFC Editor: Please replace "[RFC-XXXX]" with the RFC number of this document and delete this paragraph.¶
This document has the following actions for IANA.¶
IANA is asked to register the following entry in the "ACE Groupcomm Key Types" registry defined in Section 11.7 of [I-D.ietf-ace-key-groupcomm].¶
IANA is asked to register the following entries in the "ACE Groupcomm Profiles" registry defined in Section 11.8 of [I-D.ietf-ace-key-groupcomm].¶
IANA is asked to register the following entry in the "Resource Type (rt=) Link Target Attribute Values" registry within the "Constrained Restful Environments (CoRE) Parameters" registry group.¶
Clients can use this resource type to discover a group membership resource at the KDC.¶
For the media-types application/aif+cbor and application/aif+json defined in Section 5.1 of [RFC9237], IANA is requested to register the following entries for the two media-type parameters Toid and Tperm, in the respective sub-registry defined in Section 5.2 of [RFC9237] within the "MIME Media Type Sub-Parameter" registry group.¶
IANA is asked to register the following entries to the "CoAP Content-Formats" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.¶
This section lists the specifications on this profile based on the requirements defined in Appendix A of [I-D.ietf-ace-key-groupcomm].¶
RFC EDITOR: PLEASE REMOVE THIS SECTION.¶
The authors wish to thank Ari Keränen, John Preuß Mattsson, Jim Schaad, Ludwig Seitz, and Göran Selander for the useful discussion and reviews that helped shape this document.¶
The work on this document has been partly supported by the H2020 project SIFIS-Home (Grant agreement 952652).¶