| Internet-Draft | ACE Pub-sub Profile | March 2023 |
| Palombini, et al. | Expires 14 September 2023 | [Page] |
This document defines an application profile for enabling secure group communication for a constrained Publish-Subscribe (pub/sub) scenario, where Publishers and Subscribers communicate through a broker, using the ACE framework. This profile relies on transport layer or application layer security profiles of ACE to achieve communication security, server authentication and proof-of-possession for a key owned by the Client and bound to an OAuth 2.0 Access Token. The document describes how to request and provision keying material for group communication, and protect the content of the pub/sub client message exchange, focusing mainly on the pub/sub scenarios using the Constrained Application Protocol (CoAP) [I-D.ietf-core-coap-pubsub].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In the publish-subscribe (pub/sub) scenario, devices with limited reachability communicate via a broker, which enables store-and-forward messaging between these devices. This document specifies how to request, distribute and renew the keying material and configuration parameters to protect message exchanges for pub/sub communication, using [I-D.ietf-ace-key-groupcomm], which expands from the ACE framework ([RFC9200]). Message exchanges among the participants as well as message formats and processing follow the specifications for provisioning and renewing keying material in group communication scenarios in [I-D.ietf-ace-key-groupcomm].¶
The pub/sub communication using the Constrained Application Protocol (CoAP) [RFC7252] is specified in [I-D.ietf-core-coap-pubsub].This document gives detailed specifications for CoAP pub/sub, and describes how it can be applicable to MQTT [MQTT-OASIS-Standard-v5]; similar adaptations can extend to other transport protocols as well.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are expected to be familiar with:¶
A principal interested to participate in group communication as well as already participating as a group member is interchangeably denoted as "Client", "pub/sub client", or "node".¶
This document describes how to use [I-D.ietf-ace-key-groupcomm] and [RFC9200] to perform authentication, authorization and key distribution actions as overviewed in Section 2 of [I-D.ietf-ace-key-groupcomm], when the considered group is pub/sub clients belonging to the same security group.¶
Pub/sub clients communicate within their application groups mapped to a collection of pub/sub topics. The pub/sub topics may consist of one or more sub-topics, which may have their own sub-topics, forming a hierarchy. The applications decide how to map this hierarchy into different application groups, and a security group SHOULD be associated with a single application group. However, the same application group MAY be associated with multiple security groups. Further details and considerations on the mapping between the two types of groups are out of the scope of this document.¶
The architecture of the scenario is shown in Figure 1. A Client can act both as a publisher and a subscriber, publishing to some topics, and subscribing to others. However, for the simplicity of presentation, this profile describes Publisher and Subscriber Clients separately. The Broker acts as the ACE RS, and also corresponds to the Dispatcher in [I-D.ietf-ace-key-groupcomm]. The Clients communicate with The Key Distribution Center (KDC) to join security groups, and obtain the group keying material.¶
Both Publisher and Subscriber Clients use the same pub/sub communication protocol and the same transport profile of ACE in their interaction with the broker. The pub/sub communication protocol considered in this document is CoAP, as described in [I-D.ietf-core-coap-pubsub], but the specification can apply to other pub/sub protocols such as MQTT [MQTT-OASIS-Standard-v5], or other transport protocols. All clients MUST use CoAP when communicating to the KDC.¶
+----------------+ +----------------+
| | | Key |
| Authorization | | Distribution |
| Server | | Center |
| (AS) | | (KDC) |
+----------------+ +----------------+
^ ^
| |
+---------(A)----+ |
| +--------------------(B)--------+
v v
+------------+ +------------+
| | <-- (O) --> | |
| Pub/Sub | | Broker |
| Client | <-- (C)---> | |
| | | |
+------------+ +------------+
All communications between the involved entities MUST be secured. This profile expects the establishment of a secure connection between a Client and Broker, using an ACE transport profile such as DTLS [RFC9202] or OSCORE [RFC9203] (A and C). Once the client establishes a secure association with KDC with the help of AS, it can request to join the security groups of its pub/sub topics (A and B), and can communicate securely with the other group members, using the keying material provided by the KDC.¶
(C) corresponds to the exchange between the Client and the Broker, where the Client sends its access token to the Broker and establishes a secure connection with the Broker. Depending on the Information received in (A), the connection set-up may involve, for example, a DTLS handshake, or other protocols. Depending on the application, the set up phase may be skipped: for example, if OSCORE is used directly.¶
In addition, this document describes an Optional Discovery though Broker (O), where an anonymous Clients MAY discover the topic categories, topics resources, the AS and the KDC from the Broker.¶
It must be noted that Clients maintain two different security associations. On the one hand, the Publisher and the Subscriber clients have a security association with the Broker, which, as the ACE RS, verifies that the Clients are authorized (Security Association 1). On the other hand, the Publisher has a security association with the Subscriber, to protect the publication content (Security Association 2) while sending it through the broker. The Security Association 1 is set up using AS and a transport profile of [RFC9200], the Security Association 2 is set up using AS, KDC and [I-D.ietf-ace-key-groupcomm].¶
Given that the publication content is protected, the Broker MAY accept unauthorised Subscribers. In this case, the Subscriber client MAY skip setting up Security Association 1 with the Broker and connect to it as an anonymous client to subscribe to topics of interest at the Broker.¶
+------------+ +------------+ +------------+
| | | | | |
| Publisher | | Broker | | Subscriber |
| | | | | |
| | | | | |
+------------+ +------------+ +------------+
: : : : : :
: '------ Security -------' '-----------------------' :
: Association 1 :
'------------------------------- Security --------------'
Association 2
In summary, this profile describes how:¶
Appendix Appendix A lists the specifications on this application profile of ACE, based on the requirements defined in Appendix A of [I-D.ietf-ace-key-groupcomm].¶
The Clients uses the following KDC resources to enable group communication:¶
| KDC resource | Description | Operations |
|---|---|---|
| /ace-group | Required. Contains a set of group names, each corresponding to one of the specified group identifiers | FETCH (All Clients) |
| /ace-group/GROUPNAME | Required. Contains symmetric group keying material associated with GROUPNAME | GET, POST (All) |
| /ace-group/GROUPNAME/creds | Required. Contains the authentication credentials of all the Publisher members of the group with name GROUPNAME | GET, FETCH (All) |
| /ace-group/GROUPNAME/num | Required. Contains the current version number for the symmetric group keying material of the group with name GROUPNAME | GET (All) |
| /ace-group/GROUPNAME/nodes/NODENAME | Required. Contains the group keying material for that group member NODENAME in GROUPNAME. | GET, DELETE (All). PUT not supported. |
| /ace-group/GROUPNAME/nodes/NODENAME/cred | Required. Authentication credential for NODENAME in the group GROUPNAME | POST (Pub) |
| /ace-group/GROUPNAME/kdc-cred | MUST be hosted if a group re-keying mechanism is used. Contains the authentication credential of the KDC for the group with name GROUPNAME. | GET (All) |
| /ace-group/GROUPNAME/policies | Optional. Contains the group policies of the group with | |
| name GROUPNAME. | GET (All) |
Note that the use of these resources follows what is defined in [I-D.ietf-ace-key-groupcomm] applies, and only additions or modifications to that specification are defined in this document.¶
This section describes the interactions between the joining node and the KDC to join a pub/sub group. Source authentication of a message sent within the pub/sub group is ensured by means of a digital signature embedded in the message. Subscribers must be able to retrieve Publishers' authentication credential from a trusted repository, to verify source authenticity of received messages. Hence, on joining a pub/sub group, a Publisher node is expected to provide its own authentication credential to the KDC.¶
On a successful join, the Clients receive the symmetric COSE Key received from the KDC to protect the payload of a published topic data.¶
The message exchange between the joining node and the KDC follows what's defined in Section 4.3.1.1 of [I-D.ietf-ace-key-groupcomm] and only additions or modifications to that specification are defined in this document.¶
Client KDC
|----- Joining Request (CoAP) ------>|
| |
|<-----Joining Response (CoAP) ------|
After establishing a secure communication, the Client sends a Join Request to the KDC as described in Section 4.3 of [I-D.ietf-ace-key-groupcomm]. More specifically, the Client sends a POST request to the /ace-group/GROUPNAME endpoint, with Content-Format "application/ace-groupcomm+cbor". The payload MUST contain the following information formatted as a CBOR map, which MUST be encoded as defined in Section 4.3.1 of [I-D.ietf-ace-key-groupcomm]:¶
As a Publisher Client has its own authentication credential to use in a group, it MUST support client_cred', 'cnonce', 'client_cred_verify' parameters.¶
One of the following cases can occur when a new node attempts to join a pub/sub group.¶
The joining node has a Publisher role, and¶
Finally, the joining node MUST provide its own authentication credential again if it has provided the KDC with multiple authentication credentials during past joining processes intended for different pub/sub groups. If the joining node provides its own authentication credential, the KDC performs consistency checks as per Section 4.1.1 and, in case of success, considers it as the authentication credential associated with the joining node in the pub/sub group.¶
The 'client_cred_verify' parameter contains the proof-of-possession evidence, and is computed as defined below (REQ14).¶
The Publisher signs the scope, concatenated with N_S and concatenated with N_C using the private key corresponding to the public key in the 'client_cred' paramater.¶
The N_S may be either:¶
On receiving the Join Request, the KDC processes the request as defined in Section 4.3.1 of [I-D.ietf-ace-key-groupcomm], and may return a success or error response.¶
If 'client_cred' field is present, the KDC verifies signature in the 'client_cred_verify'. As PoP input, the KDC uses the value of the 'scope' parameter from the Join Request as a CBOR byte string, concatenated with N_S encoded as a CBOR byte string, concatenated with N_C encoded as a CBOR byte string. As public key of the joining node, the KDC uses either the one included in the authentication credential retrieved from the 'client_cred' parameter of the Join Request or the already stored authentication credential from previous interactions with the joining node. The KDC verifies the PoP evidence, which is a signature, by using the public key of the joining node, as well as the signature algorithm used in the group and possible corresponding parameters.¶
For a Publisher Client, the KDC assigns an available Sender ID that has not been used in the group. The KDC MUST NOT assign a Sender ID to the joining node if the node doesn't have a Publisher role. The Sender ID MUST be unique, and MAY be short. ToDo: SenderID Size from groupcomm oscore? - the maximum length of Sender ID in bytes equals the length of the AEAD nonce minus 6; for AES-CCM-16-64-128 the maximum length of Sender ID is 7 bytes.¶
In the case of any join request error, the KDC and the Client attempting the join follow the procedure defined in Section 4.1.3.¶
In the case of success, the Client is added to the list of current members, if not already a member. The Client is assigned a NODENAME and a sub-resource /ace-group/GROUPNAME/nodes/NODENAME. NODENAME is associated to the access token and secure session of the Client. Publishers' client credentials are also associated with tuple containing NODENAME, GROUPNAME, sender ID and access token. The KDC responds with a Join Response with response code 2.01 (Created) if the Client has been added to the list of group members, and 2.04 (Changed) otherwise (e.g., if the Client is re-joining). The Content-Format is "application/ace-groupcomm+cbor". The payload (formatted as a CBOR map) MUST contain the following fields from the Join Response and encode them as defined in Section 4.3.1 of [I-D.ietf-ace-key-groupcomm]:¶
'key': The keying material for group communication includes 'group_SenderId' if the Client is a Publisher, and a "COSE_Key". The "COSE_Key" object is defined in [RFC9052] [RFC9053] and contains:¶
To generate the keying material, the KDC starts at the same Base IV and Partial IV, and different keys are derived for each sender, based on their Sender ID, sent as the 'group_SenderId' inside the 'key' parameter. A Publisher Client MUST support 'group_SenderId' parameter (REQ29).¶
If the application requires backward security, the KDC MUST generate updated security parameters and group keying material, and provide it to the current group members, upon the new node's joining (see Section 4.2.4). In such a case, the joining node is not able to access secure communication in the pubsub group prior its joining.¶
Upon receiving the Join Response, the joining node retrieves the KDC's authentication credential from the 'kdc_cred' parameter. The joining node MUST verify the proof-of-possession (PoP) evidence, which is a signature, specified in the 'kdc_cred_verify' parameter of the Join Response (REQ21).¶
The KDC MUST reply with a 4.00 (Bad Request) error response to the Join Request in the following cases:¶
The 'client_cred' parameter is not present while the joining node is not going to join the group exclusively as a Subscriber, and any of the following conditions holds:¶
A 4.00 (Bad Request) error response from the KDC to the joining node MAY have content format application/ace-groupcomm+cbor and contain a CBOR map as payload. The CBOR map MAY include the 'kdcchallenge' parameter. If present, this parameter is a CBOR byte string, which encodes a newly generated 'kdcchallenge' value that the Client can use when preparing a new Join Request. In such a case the KDC MUST store the newly generated value as the 'kdcchallenge' value associated with the joining node, possibly replacing the currently stored value.¶
On receiving the Join Response, if 'kdc_cred' is present but the Client cannot verify the PoP evidence, the Client MUST stop processing the Join Response and MAY send a new Join Request to the KDC.¶
The Group Manager MUST return a 5.03 (Service Unavailable) response to a Publisher's join request in case there are currently no Sender IDs available.¶
A Publisher Client can contact the KDC to upload a new authentication credential to use in the group, and replace the currently stored one. To this end, it sends a CoAP POST request to the /ace-group/GROUPNAME/nodes/NODENAME/cred. The KDC replaces the stored authentication credential of this Client (identified by NODENAME) with the one specified in the request at the KDC, for the group identified by GROUPNAME.¶
A Client can actively request to leave the group. In this case, the Client sends a CoAP DELETE request to the endpoint /ace-group/GROUPNAME/nodes/NODENAME at the KDC, where GROUPNAME is the group name and NODENAME is its node name. KDC can also remove a group member due to any of the reasons described in Section 5 of [I-D.ietf-ace-key-groupcomm].¶
KDC MUST trigger a group rekeying as described in Section 6 of [I-D.ietf-ace-key-groupcomm] due to a change in the group membership or the current group keying material approaching its expiration time. KDC MAY trigger regularly scheduled update of the group keying material.¶
Upon generating the new group keying material and before starting its distribution, the KDC MUST increment the version number of the group keying material. The KDC MUST preserve the current value of the Sender ID of each member in that group.¶
Default rekeying scheme is Point-to-point (Section 6.1 of [I-D.ietf-ace-key-groupcomm]), where KDC individually targets each node to rekey, using the pairwise secure communication association with that node.¶
If the group rekeying is performed due to one or multiple Publisher Clients that have joined the group, then a rekeying message includes sender IDs, and authentication credentials that those Clients use in the group, together with their roles. This information is specified by means of the parameters 'creds', 'peer_roles' and 'peer_identifiers', like done in the Join Response message.¶
+------------+ +------------+ +------------+ | | | | | | | Publisher | ----(D)---> | Broker | | Subscriber | | | | | <----(E)---- | | | | | | -----(F)---> | | +------------+ +------------+ +------------+
(D) corresponds to the publication of a topic on the Broker, using a CoAP PUT. The publication (the resource representation) is protected with COSE ([RFC9052][RFC9053]) by the Publisher. The (E) message is the subscription of the Subscriber, and uses a CoAP GET with the Observe option set to 0 (zero) [I-D.ietf-core-coap-pubsub]. The subscription MAY be unprotected. The (F) message is the response from the Broker, where the publication is protected with COSE by the Publisher. (ToDo: Add Delete to the flow?)¶
Publisher Broker Subscriber
| --- PUT /topic ----> | |
| protected with COSE | |
| | <--- GET /topic ----- |
| | Observe:0 |
| | ---- response ------> |
| | protected with COSE |
The Publisher uses the symmetric COSE Key received from the KDC to protect the payload of the Publish operation (Section 4.3 of [I-D.ietf-core-coap-pubsub]). Specifically, the COSE Key is used to create a COSE_Encrypt0 object with an AEAD algorithm specified by the KDC. The AEAD key lengths, AEAD nonce length, and maximum Sender Sequence Number (Partial IV) are algorithm dependent.¶
The Publisher uses the private key corresponding to the public key sent to the KDC to countersign the COSE Object as specified in [RFC9052] [RFC9053]. The payload is replaced by the COSE object before the publication is sent to the Broker.¶
The Subscriber uses the 'kid' in the 'countersignature' field in the COSE object to retrieve the right public key to verify the countersignature. It then uses the symmetric key received from KDC to verify and decrypt the publication received in the payload from the Broker (in the case of CoAP the publication is received by the CoAP Notification).¶
The COSE object is constructed in the following way (as described in [RFC9052] [RFC9053]).¶
The protected Headers MUST contain:¶
The unprotected Headers MUST contain:¶
the counter signature¶
The 'external_aad' is an empty string.¶
The encryption and decryption operations are described in [RFC9052] [RFC9053].¶
The steps MQTT clients go through would be similar to the CoAP clients, and the payload of the MQTT PUBLISH messages will be protected using COSE. The MQTT clients needs to use CoAP to communicate to the KDC, to join security groups, and be part of the pair-wise rekeying initiated by the KDC.¶
Authorisation Server (AS) Discovery is defined in Section 2.2.6.1 of [I-D.ietf-ace-mqtt-tls-profile] for MQTT v5 clients (and not supported for MQTT v3 clients). $SYS/ has been widely adopted as a prefix to topics that contain Server-specific information or control APIs, and may be used for topic and KDC discovery.¶
Differently for MQTT, the Client sends an authorisation request to the AS using AIF-MQTT data model for representing the requested scopes is described in Section 3 of the [I-D.ietf-ace-mqtt-tls-profile]. In the authorisation response, the 'profile' claim is set to "mqtt_pubsub_app" as defined in Section 8.1.2.¶
Both Publisher and Subscriber Clients MUST authorise to the Broker with their respective tokens (described in [I-D.ietf-ace-mqtt-tls-profile]) i.e., anonymous Subscribers are not supported in the profile. A Publisher Client sends PUBLISH messages for a given topic and protects the payload with the corresponding key for the associated security group. The Broker validates the PUBLISH message by verifying its topic in the stored token. A Subscriber Client may send SUBSCRIBE messages with one or multiple topic filters. A topic filter may correspond to multiple topics. The Broker validates the SUBSCRIBE message by checking the stored token for the Client. The Broker forwards all PUBLISH messages to all authorised Subscribers, including the retained messages.¶
All the security considerations in [I-D.ietf-ace-key-groupcomm] apply.¶
In the profile described above, when the Publisher and Subscriber use asymmetric crypto, which would make the message exchange quite heavy for small constrained devices. Moreover, all Subscribers must be able to access the public keys of all the Publishers to a specific topic to verify the publications.¶
Even though Access Tokens have expiration times, an Access Token may need to be revoked before its expiration time (see [I-D.draft-ietf-ace-revoked-token-notification-03] for a list of possible circumstances). Clients can be excluded from future publications through re-keying for a certain topic. This could be set up to happen on a regular basis, for certain applications. How this could be done is out of scope for this work. The method described in [I-D.draft-ietf-ace-revoked-token-notification-03] MAY be used to allow an Authorization Server to notify the KDC about revoked Access Tokens.¶
The Broker is only trusted with verifying that the Publisher is authorized to publish, but is not trusted with the publications itself, which it cannot read nor modify. In this setting, caching of publications on the Broker is still allowed.¶
With respect to the reusage of nonces for Proof-of-Possession input, the same considerations apply as in the [I-D.ietf-ace-key-groupcomm-oscore].¶
TODO: expand on security and privacy considerations¶
The following registrations are done for the "ACE Groupcomm Profile" Registry following the procedure specified in [I-D.ietf-ace-key-groupcomm].¶
Note to RFC Editor: Please replace all occurrences of "[[This document]]" with the RFC number of this specification and delete this paragraph.¶
The following registrations are done for the "ACE Groupcomm Key Types" defined in Section 11.7 of [I-D.ietf-ace-key-groupcomm].¶
Note to RFC Editor: Please replace all occurrences of "[[This document]]" with the RFC number of this specification and delete this paragraph.¶
Name: Group_PubSub_COSE_Key¶
Key Type Value: GROUPCOMM_KEY_TBD¶
Profile: coap_group_pubsub_app, defined in Section 8.1.1 of this document.¶
Description: COSE_Key object¶
IANA is asked to register the following entry in the "Resource Type (rt=) Link Target Attribute Values" registry within the "Constrained Restful Environments (CoRE) Parameters" registry group.¶
Clients can use this resource type to discover a group membership resource at a Broker.¶
For the media-types application/aif+cbor and application/aif+json defined in Section 5.1 of [RFC9237], IANA is requested to register the following entries for the two media-type parameters Toid and Tperm, in the respective sub-registry defined in Section 5.2 of [RFC9237] within the "MIME Media Type Sub-Parameter" registry group.¶
*Reference: [[This document]]¶
IANA is asked to register the following entries to the "CoAP Content- Formats" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.¶
IANA is asked to register the following entry to the "TLS Exporter Labels" registry defined in Section 6 of [RFC5705] and updated in Section 12 of [RFC8447].¶
This section lists the specifications on this profile based on the requirements defined in Appendix A of [I-D.ietf-ace-key-groupcomm].¶
The author wishes to thank Ari Keränen, John Preuß Mattsson, Ludwig Seitz, Göran Selander, and Jim Schaad for the useful discussion and reviews that helped shape this document.¶
The work on this document has been partly supported by the H2020 project SIFIS-Home (Grant agreement 952652).¶