UTA Working Group P. Urien Internet Draft Telecom ParisTech Intended status: ExperimentalDecember 2019
Expires: June 2020
TLS and DTLS Security Modules draft-urien-uta-tls-dtls-security-module-09.txt
Abstract
Security and trust are very critical topics in the context of the anywhere, anytime, anything internet connectivity. TLS and DTLS are two major IETF protocols widely used to secure IP exchanges. According to CoAP, DTLS is the protocol used by constraint nodes in the Internet of Things (IoT) context.
In this draft we specify an ISO7816 interface for TLS and DTLS secure modules based on ISO7816 secure chips, which are today manufactured per billions every year.
Secure elements are cheap secure microcontrollers whose size is about 25mm2 and whose security is ranked by evaluations typically according to Common Criteria (CC) standards.
The support of TLS and DTLS is based on the EAP-TLS protocol, and the IETF draft "EAP Support in smartcard" describing EAP-TLS support for secure elements. First implementation demonstrates that such low cost security modules are realistic, with a setup time for handshake completion under the second.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Urien Expires June 2020 [page 1]
TLS and DTLS Security Modules December 2019
Status of this Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.Urien Expires June 2020 [Page 2]TLS and DTLS Security Modules December 2019Table of Contents
Abstract........................................................... 1 Requirements Language.............................................. 1 Status of this Memo................................................ 2
Copyright Notice................................................... 2
1 Overview......................................................... 4
2 The EAP-TLS Smartcard............................................ 4
2.1 The EAP-TLS protocol........................................ 4
2.2 The EAP-TLS Smartcard....................................... 6
4 The TLS Security Module.......................................... 6
4.1 EAP-TLS for TLS Security Module............................. 6
4.2 The TLS / EAP-TLS Software Bridge........................... 8
4.3 The TLS Security Module Encryption and Decryption procedures 8
5 The DTLS Security Module........................................ 10
5.1 EAP-TLS for DTLS Security Module........................... 10
5.2 The DTLS / EAP-TLS Software Bridge......................... 11
5.3 The DTLS Security Module Encryption and Decryption procedures
............................................................... 12
6 Example of TLS processing by the TLS security module............ 14
7 Example of DTLS processing by the DTLS security module.......... 16
8 Security Considerations......................................... 22
9 IANA Considerations............................................. 22
10 References..................................................... 22
10.1 Normative References...................................... 22
10.2 Informative References.................................... 23
11 Authors' Addresses............................................. 23Urien Expires June 2020 [Page 3]TLS and DTLS Security Modules December 2019 1 OverviewSecurity and trust are very critical topics in the context of the anywhere, anytime, anything internet connectivity. TLS [TLS 1.0] [TLS 1.1], [TLS 1.2] and DTLS [DTLS 1.0] [DTLS 1.2] are two major IETF protocols widely used to secure IP exchanges. According to [COAP], DTLS is the protocol used by constraint nodes in the Internet of Things (IoT) context. In this draft we specify an interface for TLS and DTLS secure modules based on [ISO7816] secure chips, which are today manufactured per billions every year. Secure elements are cheap secure microcontrollers whose size is about 25mm2 and whose security is ranked by evaluations typically according to Common Criteria (CC) standards. The support of TLS and DTLS is based on the EAP-TLS [EAP-TLS] protocol, and the IETF draft [EAP SC] "EAP Support for Smartcards" describing EAP-TLS support for secure elements. First implementation demonstrate that such low cost security modules are realistic, with a setup time for handshake completion, under the second.
2 The EAP-TLS Smartcard 2.1 The EAP-TLS protocolThe EAP-TLS [EAP-TLS] protocol (as illustrated by figure 1)defines a transparent transport of the TLS protocol until the exchange finished messages (both for server and client). According to EAP- TLS, and similarly to DTLS [DTLS 1.0] [DTLS 1.2], messages are grouped into a series of flights (four for the TLS full mode, and three for the TLS Session Resumption.
The EAP-TLS protocol supports segmentation and reassembly operations managed via the "Flags" byte, which is detailed below:
0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |L M S R R R R R| +-+-+-+-+-+-+-+-+L = Length included M = More fragments S = Start bit R = Reserved
- The L bit (length included) is set to indicate the presence of the four-octet TLS Message Length field, and MUST be set for the first fragment of a fragmented TLS message or set of messages. - The M bit (more fragments) is set on all but the last fragment. - The S bit (EAP-TLS start) is set in an EAP-TLS Start message. When an EAP-TLS peer receives an EAP-Request packet with the M bit set, it MUST respond with an EAP-Response with EAP-Type=EAP-TLS and no data. This serves as a fragment ACK.Urien Expires June 2020 [Page 4]TLS and DTLS Security Modules December 2019Authenticating Peer AuthenticatorEAP-TLS Smartcard (SC) SC User ------------------- ------------- <- EAP-Request/Identity
EAP-Response/ Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP-TLS Flags (TLS Start) EAP-Response/ EAP-Type=EAP-TLS Flags (TLS client-hello)-> Flight 1 <- EAP-Request/ EAP-Type=EAP-TLS Flags (TLS server-hello, Flight 2
TLS certificate,
[TLS server-key-exchange,]
TLS certificate-request,
TLS server-hello-done)
EAP-Response/ EAP-Type=EAP-TLS Flags (TLS certificate, Flight 3 TLS client-key-exchange, TLS certificate-verify, TLS change-cipher-spec, TLS finished) -> <- EAP-Request/ EAP-Type=EAP-TLS Flags (TLS change-cipher-spec, Flight 4
TLS finished)
EAP-Response/ EAP-Type=EAP-TLS Flags ->
<- EAP-Success
Figure 1. The EAP-TLS protocol
Urien Expires June 2020 [Page 5]TLS and DTLS Security Modules December 2019 2.2 The EAP-TLS SmartcardThe "EAP Support in Smartcard" draft [EAP SC] specifies an ISO7816 interface for a secure element (named EAP-TLS smartcard, in figure 1) that fully processes the EAP-TLS protocol until the reception of the EAP-Success message.
The two main commands are detailed in figure 2: - Reset-State, which resets the EAP-TLS state machine , - Process-EAP that transports TLS flights encapsulated in EAP-TLS messages.
+------------------------+-----+-----+----+----+----+----+ | Command |Class| INS | P1 | P2 | Lc | Le | +------------------------+-----+-----+----+----+----+----+ | Process-EAP | A0 |80-88| 00 | 00 | xx | yy | +------------------------+-----+-----+----+----+----+----+ | Reset-State | A0 | 19 | 10 | 00 | 00 | 01 | +------------------------+-----+-----+----+----+----+----+ Figure 2 4 The TLS Security Module 4.1 EAP-TLS for the TLS Security ModuleTLS security modules are based on EAP-TLS devices, performing, as illustrated by figure 3, a transparent encapsulation of TLS packets.
The EAP-Request-Identity message and EAP-Success message are not used by the TLS secure modules.Urien Expires June 2020 [Page 6]TLS and DTLS Security Modules December 2019 Security Module (SM) SM User ------------------- -------------<- EAP-Request/ EAP-Type=EAP-TLS Flags (TLS Start) EAP-Response/ EAP-Type=EAP-TLS Flags (TLS client-hello)-> <- EAP-Request/ EAP-Type=EAP-TLS Flags (TLS server-hello,
TLS certificate,
[TLS server-key-exchange,]
TLS certificate-request,
TLS server-hello-done)
EAP-Response/ EAP-Type=EAP-TLS Flags (TLS certificate, TLS client-key-exchange, TLS certificate-verify, TLS change-cipher-spec, TLS finished) -> <- EAP-Request/ EAP-Type=EAP-TLS Flags (TLS change-cipher-spec,
TLS finished)
EAP-Response/ EAP-Type=EAP-TLS Flags ->
=======================================================
Four ways TLS Handshake Completion
=======================================================
Figure 2. The TLS Handshake Completion with the Security ModuleUrien Expires June 2020 [Page 7]TLS and DTLS Security Modules December 2019 4.2 The TLS / EAP-TLS Software BridgeA software bridge, illustrated by figure 3 extracts TLS flights from TLS packets, and manages EAP-TLS messages exchanged with the Security Module.
+----------+ +-----------+ TLS | TLS | EAP-TLS | TLS | packet | EAP-TLS | Packet | Security | <=======> | Bridge | <========> | Module | +----------+ +-----------+Figure 3. The TLS / EAP-TLS Software Bridge
4.3 The TLS Security Module Encryption and Decryption proceduresAfter the completion of the TLS four ways or three ways handshake (notified by the delivery of EAP-Success message in EAP-TLS) the Security Module supports two procedures, Process-EAP-Encrypt and Process-EAP-Decrypt, in order to respectively compute TLS encrypted packets (see figure 4) or to check and decrypt the payload of TLS ciphered packets (see figure 5).
Process-EAP-Encrypt(Type) <- EAP-Request/ EAP-Type=EAP-TLS Flags
(Payload= Clear Text)
EAP-Response/ EAP-Type=EAP-TLS Flags (Payload= TLS Encrypted
Record Layer Message)->
Figure 4. Generation of TLS encrypted packet by TLS Security module
Process-EAP-Decrypt <- EAP-Request/ EAP-Type=EAP-TLS Flags (Payload= TLS Encrypted
Record Layer Message)->
EAP-Response/ EAP-Type=EAP-TLS Flags (Payload= TLS Clear
Record Layer payload)->
Figure 5. Generation of TLS decrypted packets In the case of the Process-EAP-Encrypt(Type) procedure the payload of the EAP-TLS packet (see figure 4) is the clear text to be encrypted in the TLS Record Layer packet. The SM adds the Type field indicated in the Process-EAP-Encrypt command, and performs all needed operations in order to compute the TLS encrypted packet (including HMAC and optional padding bytes see figure 6), encapsulated in the EAP-Response message (depicted in figure 4).
Urien Expires June 2020 [Page 8]TLS and DTLS Security Modules December 2019In the case of the Process-EAP-Decrypt() procedure, the payload of the EAP-TLS packet (see figure 5) is the received TLS Record Layer encrypted packet, as showed by figure 6. The Security Module checks the HMAC, and upon success deciphers the encrypted payload; the resulting data is returned encapsulated in the EAP-Response message.
+------+---------+--------+----------------------------+ | Type | Version | Length | Encrypted | +------+---------+--------+ Payload | + | + +------+-----+------------+----------------+ + | HMAC | Pad | Pad Length | +-----------+------+-----+------------+Figure 6. A TLS (Record Layer) encrypted packet.
The figure 7 details the structure of the Security Module command needed for the encryption and decryption of TLS packets.
+-------------+-----+-----+----+------------+----+----+---------+ | Command |Class| INS | P1 | P2 | Lc | Le | SW | +-------------+-----+-----+----+------------+----+----+---------+ | Process-EAP | A0 |80-88| 00 | 80 || Type | xx | yy | 9000 OK | | Encrypt | | | | | | | 6985 ERR| +-------------+-----+-----+----+------------+----+----+---------+ | Process-EAP | A0 |80-88| 00 | 00 | xx | yy | 9000 OK | | Decrypt | | | | | | | 6985 ERR| +-------------+-----+-----+----+------------+----+----+---------+Figure 7. The Security Module ISO7816 commandsUrien Expires June 2020 [Page 9]TLS and DTLS Security Modules December 2019 5 The DTLS Security Module 5.1 EAP-TLS for the DTLS Security Module Security Module (SM) SM User ------------------- ------------- <- EAP-Request/EAP-Type=EAP-TLS Flags (TLS Start) EAP-Response/ EAP-Type=EAP-TLS Flags (DTLS client-hello) -> Flight 1 <- EAP-Request/ DTLS Hello-Verify-Request Flight 2 (contains cookie) EAP-Response/ EAP-Type=EAP-TLS Flags (DTLS client-hello
with cookie) -> Flight 3
<- EAP-Request/ EAP-Type=EAP-TLS Flags (DTLS server-hello,
DTLS certificate, Flight 4
[DTLS server-key-exchange,]
DTLS certificate-request,
DTLS server-hello-done)
EAP-Response/ EAP-Type=EAP-TLS Flags (DTLS certificate, DTLS client-key-exchange, DTLS certificate-verify, Flight 5 DTLS change-cipher-spec, DTLS finished) -> <- EAP-Request/ Flags EAP-Type=EAP-TLS (DTLS change-cipher-spec, Flight 6
DTLS finished)
EAP-Response/ EAP-Type=EAP-TLS Flags ->
=======================================================
Four ways DTLS Handshake Completion
=======================================================
Figure 8. The DTLS handshake completion with the Security Module In a way similar to TLS (see figure 8), DTLS messages are encapsulated in EAP-TLS messages.
Urien Expires June 2020 [Page 10]TLS and DTLS Security Modules December 2019 5.2 The DTLS / EAP-TLS Software BridgeA software bridge, illustrated by figure 9 extracts DTLS flights from DTLS packets, and manages EAP-TLS exchanges with the Security Module.
+----------+ +-----------+ DTLS | DTLS | EAP-TLS | DTLS | packets | EAP-TLS | Packets | Security | <=======> | Bridge | <========> | Module | +----------+ +-----------+Figure 9. DTLS / EAP-TLS software bridge
The DTLS security module doesn't manage handshake messages fragmentation and reassembly. These operations are handled by the software bridge during the DTLS three ways or four ways handshake. Timeout and retransmission are also managed by the bridge entity.
According to [DTLS 1.0] finished messages have no sensitivity to fragmentation. There are computed as if each handshake message had been sent as a single fragment. The security module (see figure 10) deals with handshake message with the fields fragment-offset set to zero, and fragment-length equal to length. Because the handshake sequence in not used in cryptographic calculations, it is fully managed by the bridge. The security module does not take into account the received messages sequences, and produces handshake messages starting from zero (at the DTLS first hello message generation) and incremented for every message.
HandshakeType msgtype; uint24 length; uint16 message-sequence; uint24 fragment-offset; uint24 fragment-length; [Handshake Message]
Figure 10. Structure of the DTLS Handshake message.
It also should be noted that according to the DTLS protocol [DTLS 1.0] in cases where the cookie exchange is used, the initial ClientHello and HelloVerifyRequest are NOT included in the Finished MAC.
When the Security Module builds the client finished message it sets the EPOCH field to one and resets the sequence number used by the record layer. The record layer packet structure is detailed by figure 11.
Urien Expires June 2020 [Page 11]TLS and DTLS Security Modules December 2019struct { ContentType type; ProtocolVersion version; uint16 epoch; uint48 sequence-number; uint16 length; opaque fragment[DTLSPlaintext.length]; } DTLSPlaintext;
Figure 11. DTLS Record Layer packet structure
According to [DTLS 1.0] the DTLS MAC is the same as that of TLS 1.1. However, rather than using TLS's implicit sequence number, the sequence number used to compute the MAC is the 64-bit value formed by concatenating the epoch and the sequence number in the order they appear on the wire. TLS MAC calculation is parameterized on the protocol version number, which, in the case of DTLS, is the on-the- wire version, i.e., {254,255 } for DTLS 1.0.
5.3 The DTLS Security Module Encryption and Decryption proceduresUpon the completion of the DTLS handshake, i.e. after the generation of finished messages (both and on client and server side) the record layer is fully handle by the security module, which checks and decrypts all incoming packets (see figure 13), and produces encrypted and HMACed packets (see figure 12).
Process-EAP-Encrypt(Type) <- EAP-Request/ EAP-Type=EAP-TLS Flags
(Payload= Clear Text)
EAP-Response/ EAP-Type=EAP-TLS Flags (Payload= DTLS Encrypted
Record Layer Message)->
Figure 12. Generation of DTLS encrypted packet by the DTLS Security module Process-EAP-Decrypt <- EAP-Request/ EAP-Type=EAP-TLS Flags (Payload= DTLS EncryptedUrien Expires June 2020 [Page 12]TLS and DTLS Security Modules December 2019Record Layer Message)->
EAP-Response/ EAP-Type=EAP-TLS Flags (Payload= DTLS Clear
Record Layer payload)->
Figure 13. Generation of TLS decrypted packetsUrien Expires June 2020 [Page 13]TLS and DTLS Security Modules December 2019 6 Example of TLS processing by the TLS security moduleThe following choreography illustrates the processing of a TLS (1.0) resume session by the TLS security module. The CipherSuite is AES- SHA1.
// RESET the Security Module >> A0 19 10 00 00 << 90 00
// Send EAP-TLS-Start in EAP-Request // last four bytes represent the time >> A0 80 00 00 0A 01 14 00 06 0D 20 55 82 E9 D1
// Flight 1 // Client Hello in EAP-Response << 02 14 00 5C 0D 80 00 00 00 52 16 03 01 00 4D 01 00 00 49 03 01 55 82 E9 D1 BE 21 DF 71 68 C3 14 BB DC 09 57 24 DA 77 F1 EA C1 9F 54 AF 0F E4 61 C9 5A 3F 06 93 20 34 1A 3F 0A E5 6C C0 39 F1 E2 9A F7 D3 D6 6E C0 91 CC EB 77 61 7D 88 FF C7 00 F9 C3 6D 1F 1F 8C 00 02 00 2F 01 00 90 00
// Flight 2 // Server Hello + CCS + Finished in EAP-Request // 1st fragment
>> A0 80 00 00 8A 01 0D 00 8A 0D C0 00 00 00 8A 16 03 01 00 4A 02 00 00 46 03 01 55 82 EA 66 4D ED 28 C0 E2 4F 22 12 01 35 49 82 61 5A FC 29 64 3B 20 1D 3A D4 00 39 91 27 07 06 20 34 1A 3F 0A E5 6C C0 39 F1 E2 9A F7 D3 D6 6E C0 91 CC EB 77 61 7D 88 FF C7 00 F9 C3 6D 1F 1F 8C 00 2F 00 14 03 01 00 01 01 16 03 01 00 30 85 D5 76 49 D3 58 C9 93 D8 03 B1 91 19 78 3F 16 A1 3A DF 03 54 53 63 B6 42 A5 5A 8A 23 C2 C5 AD 84 75 30 85 BE 75
// EAP-TLS ACK << 02 0D 00 06 0D 00
90 00
// 2nd fragment >> A0 80 00 00 10 01 0E 00 10 0D 00 26 92 99 2A 9E 7F FF 2E
BC CB
// Flight 3 // Client CCS + Finished in EAP-Response << 02 0E 00 45 0D 80 00 00 00 3B 14 03 01 00 01 01 16 03 01 00 30 86 8A 10 A2 85 5F DA D8 52 16 D6 57 12 75 A6 57 A2 20 1B A5 5B F0 0A E5 34 62 FF 92 28 BC DD 72 5E D7 6E C0 D4 A5 52 1F AA F5 6D 7C 8A 37 02 54 90 00 // TLS handshake completion
Urien Expires June 2020 [Page 14]TLS and DTLS Security Modules December 2019// Process-EAP-Decrypt >> A0 80 00 00 2B 01 0F 00 2B 0D 00 17 03 01 00 20 75 1A 28 2D F3 E1 12 D5 19 7C 3E 38 CB 49 D6 43 CF B0 F3 E5 A3 1A BF A1 E0 75 AE A8 07 89 B0 45
// Empty Record Layer Payload << 02 0F 00 0A 0D 80 00 00 00 00
90 00
//Process-EAP-Decrypt
>> A0 80 00 00 2B 01 10 00 2B 0D 00 17 03 01 00 20 A0 65 57 15 17 D2 DA 92 FF A3 7F 07 F4 95 53 86 4C 55 F3 2C 87 6B A8 CB 2F 36 F3 71 D2 AD A3 F7
// Record Layer Clear Payload = 31 32 33 34 0D OA << 02 10 00 10 0D 80 00 00 00 06 31 32 33 34 0D 0A
90 00
// Process-EAP-Encrypt type=17h, payload = 31 32 33 34 0D 0A >> A0 80 00 97 0C 01 11 00 0C 0D 00 31 32 33 34 0D 0A
// Encrypted TLS Record Layer packet in EAP-Response << 02 11 00 2F 0D 80 00 00 00 25 17 03 01 00 20 15 06 B7 7D 1F 1E F3 51 4A 8E 70 3C AE B2 EF EF D0 45 A7 1E 3F 68 92 AF 0C 09 C7 91 97 F7 C2 E6 90 00Urien Expires June 2020 [Page 15]TLS and DTLS Security Modules December 2019 7 Example of DTLS processing by the DTLS security moduleThe following choreography illustrates the processing of a DTLS full session the DTLS security module. The CipherSuite is AES-SHA1.
// RESET the Security Module >> A0 19 10 00 00 << 90 00
// Send EAP-TLS-Start in EAP-Request // The last four bytes represent the time
>> A0 80 00 00 0A 01 14 00 06 0D 20 55 83 BF CA
// Flight 1 // DTLS ClientHello (no cookie) in EAP-Response // RL-seq=0, RL-epoch=0, Handshake-seq=0 << 02 14 00 4D 0D 80 00 00 00 43 16 FE FF 00 00 00 00 00 00 00 00 00 36 01 00 00 2A 00 00 00 00 00 00 00 2A FE FF 55 83 BF CA DD 4C 24 32 85 D1 A5 21 EB EE F3 33 50 88 17 6B 48 6A CB 24 E6 28 8B FE 3C 85 F3 F1 00 00 00 02 00 2F 01 00 90 00
DTLS Bridge sends 67 bytes DTLS Bridge receives RL-Seq=0, RL-epoch=0, Handshake-seq=0
// Flight 2 DTLS HelloVerifyRequest (contains cookie) // DTLS HelloVerifyRequest in EAP-Response
>> A0 80 00 00 36 01 01 00 36 0D 00 16 FE FF 00 00 00 00 00 00 00 00 00 23 03 00 00 17 00 00 00 00 00 00 00 17 FE FF 14 C2 38 AC 8C F8 F5 CE CA 9B 9E F1 2F 8A D1 9E 2F 84 27 F2 FF
// Flight 3 DTLS HelloClient (contains cookie) // DTLS ClientHello in EAP-Response // RL-seq=1, RL-epoch=0, Handshake-seq=1
<< 02 01 00 61 0D 80 00 00 00 57 16 FE FF 00 00 00 00 00 00 00 01 00 4A 01 00 00 3E 00 01 00 00 00 00 00 3E FE FF 55 83 BF CA DD 4C 24 32 85 D1 A5 21 EB EE F3 33 50 88 17 6B 48 6A CB 24 E6 28 8B FE 3C 85 F3 F1 00 14 C2 38 AC 8C F8 F5 CE CA 9B 9E F1 2F 8A D1 9E 2F 84 27 F2 FF 00 02 00 2F 01 00 90 00
DTLS Bridges sends 87 bytes DTLS Bridges receives RL-seq=1 RL-epoch=0 Handshake-seq=1 RL-seq=2 RL-epoch=0 Handshake-seq=2 RL-seq=3 RL-epoch=0 Handshake-seq=3 RL-seq=4 RL-epoch=0 Handshake-seq=4
Urien Expires June 2020 [Page 16]TLS and DTLS Security Modules December 2019// Flight 4 // DTLS ServerHello, Certificate, CertificateRequest // ServerHelloDone in EAP-Request // 4 record layer messages
// EAP-TLS message 1st fragment >> A0 80 00 00 8A 01 02 00 8A 0D C0 00 00 02 D2 16 FE FF 00 00 00 00 00 00 00 01 00 32 02 00 00 26 00 01 00 00 00 00 00 26 FE FF 55 83 BF CF F6 1B 78 8E 10 05 FC F7 4C 0C 0D 9D 98 4E 90 DA 71 EC BC 83 45 97 4A 71 D9 89 19 C1 00 00 2F 00 16 FE FF 00 00 00 00 00 00 00 02 02 4E 0B 00 02 42 00 02 00 00 00 00 02 42 00 02 3F 00 02 3C 30 82 02 38 30 82 01 A1 A0 03 02 01 02 02 02 00 8B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 57
// EAP-TLS Ack << 02 02 00 06 0D 00
90 00
// 2nd fragment >> A0 80 00 00 8A 01 03 00 8A 0D 40 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 43 41 30 1E 17 0D 31 34 30 37 31 33 32 32 34 39 30 37 5A 17 0D 32 32 30 39 32 39 32 32 34 39 30 37 5A 30 5D 31 0B 30 09 06 03 55 04 06 13 02
// EAP-TLS Ack << 02 03 00 06 0D 00
90 00
// 3rd fragment >> A0 80 00 00 8A 01 04 00 8A 0D 40 46 52 31 14 30 12 06 03 55 04 08 13 0B 49 6C 65 44 65 46 72 61 6E 63 65 31 0E 30 0C 06 03 55 04 07 13 05 50 61 72 69 73 31 17 30 15 06 03 55 04 0A 13 0E 65 74 68 65 72 74 72 75 73 74 2E 63 6F 6D 31 0F 30 0D 06 03 55 04 03 13 06 63 6C 69 65 6E 74 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 E3 83 38 A1 60 FE 8B 24 6F 39 E6 A8 A9 81 8F BE 9C E2 E3 7F 45
// EAP-TLS ack << 02 04 00 06 0D 00
90 00
// 4th fragment >> A0 80 00 00 8A 01 05 00 8A 0D 40 2F 9B C7 41 09 B2 10 52 38 3F 74 46 89 C4 A1 4E 28 9D F7 22 8B AF 90 D1 3C 3C 03 4A 2F FC AA 03 26 3E 21 6C 19 DB 87 D7 F6 19 D6 F4 57 A4 BA 08 14 CB B3 1C 1F 01 76 6B 08 5A 4B 40 09 8B AB C8 6E 31 25 17 78 04 78 84 0F CB 0E B1 B9 D0 27 73 30 0D AE C1 7D BB 8E 1B 65 0A 17 51 23 9F C9 89 62 44 38 5C E6 63 A0 72 E2 99 67 02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A
Urien Expires June 2020 [Page 17]TLS and DTLS Security Modules December 2019// EAP-TLS Ack << 02 05 00 06 0D 00
90 00
// 5th fragment
>> A0 80 00 00 8A 01 06 00 8A 0D 40 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 7C 95 33 F9 17 27 BE CB 2A 85 6C A9 9E B8 4B 07 9B 09 69 ED D1 8A 38 A5 CA 1B C6 44 06 F9 A3 BD E4 66 58 C4 BE 92 32 C9 9E 43 42 26 9E EF 67 1D 6E A3 2C CE 59 DE 3E 0F 07 3A 10 66 72 5E A1 E5 06 76 76 CC 8D C0 47 54 42 AB FA 36 1C F1 8B 57 C0 A7 2B 65 52 4F 2E 36 75 D5 15 34 18 38 61 3A 18 18 5D D5 E3 9E 8D 1C DD 3D D3 A6 93 3D 19 0C 9C FA 98 C0 B0 5B
// EAP-TLS Ack << 02 06 00 06 0D 00
90 00
// 6th and last fragment
>> A0 80 00 00 48 01 07 00 48 0D 00 4F 35 CF B2 88 51 6D 9F 75 FD 16 FE FF 00 00 00 00 00 00 00 03 00 12 0D 00 00 06 00 03 00 00 00 00 00 06 03 01 02 40 00 00 16 FE FF 00 00 00 00 00 00 00 04 00 0C 0E 00 00 00 00 04 00 00 00 00 00 00
// Flight 5 // Certificate, KeyExchange, CertificateVerify, ChangeCipherSpec // Finished, in EAP-Response, 2 record layer messages // RL-seq=2, RL-epoch=0, Handshake-seq=2,3,4,5 // RL-seq=0, RL-epoch=0, Handshake-seq=0
// EAP-TLS message, 1st EAP fragment << 02 07 00 8A 0D C0 00 00 04 0F 16 FE FF 00 00 00 00 00 00 00 02 03 A7 0B 00 02 7F 00 02 00 00 00 00 02 7F 00 02 7C 00 02 79 30 82 02 75 30 82 01 DE A0 03 02 01 02 02 01 0C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 81 94 31 0B 30 09 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 55 04 08 13 06 46 72 61 6E 63 65 31 0E 30 0C 06 03 55 04 07 13 05 50 61 72 69 73 31 13 30 11 06 03 55 04 0A 13 0A 45 74 68 65 72 54 90 00 // EAP-TLS ack >> A0 80 00 00 06 01 08 00 06 0D 00
Urien Expires June 2020 [Page 18]TLS and DTLS Security Modules December 2019// 2nd EAP fragment << 02 08 00 86 0D 40 72 75 73 74 31 0D 30 0B 06 03 55 04 0B 13 04 54 65 73 74 31 14 30 12 06 03 55 04 03 13 0B 50 61 73 63 61 6C 55 72 69 65 6E 31 2A 30 28 06 09 2A 86 48 86 F7 0D 01 09 01 16 1B 70 61 73 63 61 6C 2E 75 72 69 65 6E 40 65 74 68 65 72 74 72 75 73 74 2E 63 6F 6D 30 1E 17 0D 31 34 30 37 31 34 30 38 30 33 31 37 5A 17 0D 32 32 30 39 33 30 30 38 30 33 31 37 5A 30 5D 31 0B 30 09 06 03 55 04 06 90 00
// EAP-TLS Ack >> A0 80 00 00 06 01 09 00 06 0D 00
// 3rd EAP fragment << 02 09 00 86 0D 40 13 02 46 52 31 14 30 12 06 03 55 04 08 13 0B 49 6C 65 44 65 46 72 61 6E 63 65 31 0E 30 0C 06 03 55 04 07 13 05 50 61 72 69 73 31 17 30 15 06 03 55 04 0A 13 0E 65 74 68 65 72 74 72 75 73 74 2E 63 6F 6D 31 0F 30 0D 06 03 55 04 03 13 06 53 65 72 76 65 72 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 D5 E3 52 F5 55 2B 10 1D 7D E9 3F 1A 49 23 59 90 00
// EAP-TLS Ack >> A0 80 00 00 06 01 0A 00 06 0D 00
// 4th EAP fragment << 02 0A 00 86 0D 40 8D F4 B2 E7 5C FE 4A 5B 0D D1 EA AB F2 A1 6D 79 36 EA CC 06 E2 2B 4F C9 6C EB 7C 69 DB 22 BE B2 72 26 26 A5 53 75 32 D4 80 7E CF AD 85 C1 B0 89 D4 35 FF B1 71 6B 65 74 46 23 BD 52 B5 1B 90 D2 78 4B AF 1F EE C5 94 8D 9B 93 55 70 4B 1B 5F E6 42 31 2D EA 48 BC C2 4E B4 CD C2 9F FF C2 BE F2 D8 2B E2 99 AD 98 2E 22 EB 97 81 12 70 8E AF 37 29 02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 90 00
// EAP-TLS Ack >> A0 80 00 00 06 01 0B 00 06 0D 00
// 5th EAP fragment << 02 0B 00 86 0D 40 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 05 C2 17 66 F6 50 B5 BC EB 77 CB 57 20 5A 46 9A FB FE 0B 53 1B E7 39 9F B4 8D FE A5 B8 5A 5A 70 18 32 9C EE 0F 67 E8 F3 A2 61 94 5D A7 ED 89 F0 42 A3 8C 85 CA 42 A9 94 49 C3 52 2C EF 9A 2E 64 DA BA B5 AE E9 29 C4 F6 5D 7F E9 4D BF CF 7A D9 6D DE 22 3F E2 57 DF 50 B0 E3 6E AD 69 4E 05 C8 B5 F7 DC FC 26 0D F8 B7 90 00 // EAP-TLS Ack >> A0 80 00 00 06 01 0C 00 06 0D 00
Urien Expires June 2020 [Page 19]TLS and DTLS Security Modules December 2019// 6th EAP fragment << 02 0C 00 86 0D 40 9A 9E B1 C3 9D 4C 4A C7 17 AB 72 18 80 84 3F 71 4F CA 14 29 78 40 37 FF 10 00 00 82 00 03 00 00 00 00 00 82 00 80 75 0B 3B E0 EC 77 E9 5E A0 4B A9 EE AE 1A B2 50 37 13 3C 5A 93 8B A9 DD C1 9D 0F 50 21 9E 12 34 60 AA 74 BC AA 36 C7 41 D9 EA DE 25 6C A5 C7 43 F6 87 7A 4D 31 A0 50 D6 B4 B9 F9 4E 6A FF D1 25 9A 62 18 43 54 3F 00 B6 31 21 C1 09 28 9A BB 7B EE F0 62 92 5D E0 A3 9A CA E2 90 00
// EAP-TLS Ack >> A0 80 00 00 06 01 0D 00 06 0D 00
// 7th EAP fragment << 02 0D 00 86 0D 40 51 EE 0A 87 85 36 BD 02 7A 40 B2 86 16 0E 5E CE B5 E8 62 C0 3D F8 BC 2E F9 68 53 75 87 B7 AA 68 C8 EC 65 AD 50 AD 0F 00 00 82 00 04 00 00 00 00 00 82 00 80 5A 35 9C 84 56 48 04 91 2D EE 13 0D CB B1 C0 26 FE A9 37 40 B8 78 A8 C5 06 27 94 2B 5D 04 65 2F 85 22 FB D7 56 04 72 C5 7B B4 2D 41 E9 A9 4E 1D 14 1F F0 8C 83 40 FD 6A 84 39 49 E4 EF D6 D1 8C 4E 7E 22 BD 96 5B 9B 2E 65 04 91 28 90 00
// EAP-TLS Ack >> A0 80 00 00 06 01 0E 00 06 0D 00
// 8th EAP fragment << 02 0E 00 3A 0D 40 FE 91 4E 1A 1A 36 91 F1 05 12 C5 9D 78 11 24 E6 65 44 E9 A2 80 4D F4 61 0C 79 5C 93 D5 B4 F0 29 47 DE 50 91 77 6D 99 62 D8 3E 02 12 2C E0 75 BE A4 4F 1C B9 90 00
// EAP-TLS ack >> A0 80 00 00 06 01 0F 00 06 0D 00
// 9th and last fragment << 02 0F 00 61 0D 00 14 FE FF 00 00 00 00 00 00 00 03 00 01 01 16 FE FF 00 01 00 00 00 00 00 00 00 40 75 D7 8B EB FD 23 6F F7 63 65 D0 4C 40 1E F2 D5 9F 4D F0 D2 EA DF 6E F0 A8 89 7D 15 86 B4 96 AB 93 61 9B 17 8D 01 50 64 C6 7C 76 BA 90 F7 22 B3 D9 1A E3 B3 DA F4 43 1E 2C 3D 8B 49 02 D7 F6 6F 90 00
DTLS Bridge sends 664 bytes DTLS Bridge sends 155 bytes DTLS Bridge sends 155 bytes DTLS Bridge sends 14 bytes DTLS Bridge sends 77 bytes
Urien Expires June 2020 [Page 20]TLS and DTLS Security Modules December 2019DTLS Bridge receives RL-Seq=9, RL-epoch=0 RL-Seq=0, RL-epoch=1
// Flight 6 // ChangeCipherSpec, Finished, in EAP-TLS Request >> A0 80 00 00 61 01 10 00 61 0D 00 14 FE FF 00 00 00 00 00 00 00 09 00 01 01 16 FE FF 00 01 00 00 00 00 00 00 00 40 3F 2C D4 FE 86 92 89 66 C7 97 59 F1 C4 B8 15 C4 20 EC 39 FB B5 D5 37 D9 86 72 37 95 DF 88 3A 22 A8 54 98 F0 BD 99 AF AC 37 62 38 0C 86 4A 47 1B C0 63 08 CF 57 1B 5C DC 8C 7B C9 DB FE C0 64 11
// EAP-TLS Ack << 02 10 00 06 0D 00
90 00
TLS handshake completion
// Process-EAP-Encrypt type=17h, payload = 16x AA
>> A0 80 00 97 16 01 11 00 16 0D 00 AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA
// Encrypted DTLS Record Layer packet in EAP-Response << 02 11 00 57 0D 80 00 00 00 4D 17 FE FF 00 01 00 00 00 00 00 01 00 40 2C E9 45 8E A9 44 FA 2B 13 75 A3 A3 63 01 F5 29 91 8B 20 B1 9B E2 7D 30 2D 91 D1 32 9A 6F 2E 3E D1 7B 64 F0 2A 06 3E C3 5E 34 81 A0 2D 6D C5 30 70 41 83 4A 1C 09 E6 93 66 76 23 45 63 14 3E BB 90 00
Bridge sends 77 bytes Bridge receives RL-seq=1, RL-epoch=1
//Process-EAP-Decrypt >> A0 80 00 00 53 01 12 00 53 0D 00 17 FE FF 00 01 00 00 00 00 00 01 00 40 0F 0E EE 3C F7 F4 FF 87 03 22 53 93 53 0D 83 E8 86 A5 F4 36 FB 94 B3 58 B3 A8 86 1A 29 B5 A8 BB 6A EA 8B ED B9 81 62 A4 96 57 7B 39 8E 55 E5 D1 0E DC 74 49 42 16 27 60 C3 32 ED DA CC D3 42 4A
// DTLS Record Layer Clear Payload = 16x AA << 02 12 00 1A 0D 80 00 00 00 10 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 90 00 // Process-EAP-Encrypt type=15h (Alert), payload = 0100 >> A0 80 00 95 08 01 13 00 08 0D 00 01 00
Urien Expires June 2020 [Page 21]TLS and DTLS Security Modules December 2019// Encrypted DTLS Record Layer packet in EAP-Response << 02 13 00 47 0D 80 00 00 00 3D 15 FE FF 00 01 00 00 00 00 00 02 00 30 76 A5 73 71 9A 69 A3 8F DE 2F 0D 3D 15 49 D5 C1 01 23 AE 0A 0B BB 14 F4 EC 8E 2E 84 A0 76 20 BF 3B 56 E7 C2 B9 A4 0B 13 C2 71 BD AE C4 7F 95 32 90 00
Bridge sends 61 bytes Bridges receives RL-seq=2, RL-epoch=1
//Process-EAP-Decrypt >> A0 80 00 00 43 01 14 00 43 0D 00 15 FE FF 00 01 00 00 00 00 00 02 00 30 6B 4A 48 86 92 88 95 3C D9 0D 7B CD 9E 94 7B 93 02 5C 75 FE C1 25 3E 5B 0D 99 8D 13 06 A3 3D 36 12 CD F9 1B 23 0B CE 6E 55 E1 B1 9F 39 18 FA 10
// DTLS Record Layer Clear Payload = 0100 << 02 14 00 0C 0D 80 00 00 00 02 01 00
90 00
8 Security Considerations 9 IANA Considerations 10 References 10.1 Normative References[TLS 1.0] Dierks, T., C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999
[TLS 1.1] Dierks, T., Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006
[DTLS 1.0] E. Rescorla, N. Modadugu, " Datagram Transport Layer Security", RFC 4347, April 2006
[EAP-TLS] D. Simon, B. Aboba, R. Hurst, "The EAP-TLS Authentication Protocol", RFC 5216, March 2008
[TLS 1.2] Dierks, T., Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 5746, August 2008 [DTLS 1.2] E. Rescorla, N. Modadugu "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012
Urien Expires June 2020 [Page 22]TLS and DTLS Security Modules December 2019[COAP] Z. Shelby, K. Hartke, C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, June 2014
[ISO7816] ISO 7816, "Cards Identification - Integrated Circuit Cards with Contacts", The International Organization for Standardization (ISO)
10.2 Informative References[EAP SC] Urien, P., "EAP Support in Smartcard", draft-urien-eap- smartcard-30.txt, December 2016
11 Authors' AddressesPascal Urien Telecom ParisTech 23 avenue d'Italie 75013 Paris Phone: NA France Email: Pascal.Urien@telecom-paristech.fr
Urien Expires June 2020 [Page 23]