Internet-Draft Applying Generate Random Extensions And July 2026
Amsüss Expires 7 January 2027 [Page]
Workgroup:
LAKE
Internet-Draft:
draft-ietf-lake-edhoc-grease-03
Published:
Intended Status:
Informational
Expires:
Author:
C. Amsüss

Applying Generate Random Extensions And Sustain Extensibility (GREASE) to EDHOC Extensibility

Abstract

This document applies the extensibility mechanism GREASE (Generate Random Extensions And Sustain Extensibility), which was pioneered for TLS, to the ecosystem of Ephemeral Diffie-Hellman Over COSE (EDHOC). It reserves a set of External Authorization Data (EAD) labels and unusable cipher suites that may be included in messages to ensure peers correctly handle unknown values.

Discussion Venues

This note is to be removed before publishing as an RFC.

Discussion of this document takes place on the Lightweight Authenticated Key Exchange Working Group mailing list (lake@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/lake/.

Source for this draft and an issue tracker can be found at https://github.com/lake-wg/grease.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

This document applies the extensibility mechanism GREASE (Generate Random Extensions And Sustain Extensibility), which was pioneered for TLS in [RFC8701], to Ephemeral Diffie-Hellman Over COSE (EDHOC, [RFC9528]) ecosystem.

The introduction of [RFC8701] and Section 3.3 of [RFC9170] provide comprehensive motivation for adding such extensions; [I-D.iab-protocol-greasing] provides additional background that influenced this document.

The extension points of the EDHOC protocol are cipher suites, methods, EAD (External Authorization Data) items and COSE header parameters. This document utilizes the cipher suite and EAD extension points.

Unlike in TLS GREASE [RFC8701], EDHOC is operating on tight bandwidth and message size budget, with some messages just barely fitting within relevant networks' fragmentation limits. Thus, more than with TLS GREASE, it is up to implementations to decide whether in their particular use case they can afford to send additional data.

1.1. Variability in other extension points

If the selected method is unsupported by the Responder, EDHOC does not conclude successfully. While values could be reserved for these for use as GREASE, these failed attempts would not be verified between the EDHOC participants without maintaining state between attempted EDHOC sessions. Such an addition is considered impractical for constrained devices, and thus out of scope for this document.

Recommendations for GREASE in Section 4 of [I-D.iab-protocol-greasing] also include varying other aspects of the protocol, such as varying sequences of elements. EDHOC has little known variability, and intentionally limits choice at times (for example, Section 3.3.2 of [RFC9528] allows only the numeric identifier form where that is possible). Where variation is allowed, e.g., in padding or in the ordering of EAD items, applications are encouraged to exercise it.

The extension point of COSE header parameters (identifying other ID_CRED_x types) is beyond the scope of this document, and might be addressed orthogonally in the "COSE Header Parameters" registry.

1.2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. The GREASE EAD labels

This document registers the following EAD labels for use with GREASE EAD items:

160, 41120, 43690, 44975

These EAD labels can be used in any EDHOC message for non-critical EAD items (see Section 3.8 of [RFC9528]).

The numbers cover the different lengths of encoding available in CBOR for the registry's range (except the 23 precious small values). It is expected that future documents register additional values with the same semantics.

2.1. Use of GREASE EAD items by message senders

A sender of an EDHOC message MAY include an arbitrary number of GREASE EAD items, with any or no ead_value (that is, with or without a byte string of any usable length). Both parties (the Initiator and the Responder) can send GREASE EAD items in any EDHOC message, without any need for coordination.

Senders SHOULD consider the properties of the network their messages are sent over, and refrain from adding GREASE when its use would be detrimental to the network (for example, they might use it less frequently when the added size causes fragmentation of the message).

On networks where the data added by the grease EAD items does not significantly impact the network, senders SHOULD irregularly send arbitrary (possibly random) GREASE EAD items with their messages to ensure that errors resulting from the use of GREASE are detected.

The GREASE EAD items MAY be used as an alternative form of padding.

2.1.1. Pattern for limited fingerprinting

A method of applying GREASE is suggested as follows:

  • For every message, use GREASE with a random probability of 1 in 64.

  • Pick a random GREASE label out of the uniform distribution of available options.

  • Pick a random length from the uniformly distributed interval 9 to 40 (inclusive).

  • Add the selected GREASE label with a value of the selected length, filled with random bytes.

Running EDHOC already requires the presence of a cryptographically secure random number generator. Implementers can use that same source here to avoid any privacy implications from insufficiently initialized faster sources of randomness.

2.2. Use of GREASE EAD items by message recipients

A party receiving a GREASE EAD item MUST NOT alter its behavior in any way that would allow random GREASE EAD items to alter the security context that gets established.

It MAY alter its behavior in other ways; in particular, it SHOULD randomly insert GREASE EAD items in later messages of a session in which unprocessed EAD items (including GREASE EAD items) were present.

Implementations SHOULD NOT attempt to recognize GREASE EAD items, and SHOULD apply the default processing rules.

3. GREASE cipher suites

This document registers the following GREASE cipher suites:

160, 41120, -41121, 43690

The numbers cover the different lengths of encoding available in CBOR for the registry's range (except the 46 precious small values), and both available signs. It is expected that future documents register additional values with the same semantics.

An Initiator may insert a GREASE cipher suite at any position in its sequence of preferred cipher suites.

A Responder MUST NOT support any of these GREASE cipher suites, and MUST treat them like any other cipher suite it does not support.

Thus, a GREASE cipher suite never occurs as the selected cipher suite, i.e., it is never specified as the last cipher suite in EDHOC message_1. An Initiator whose offer of a GREASE cipher suite is accepted through cipher suite negotiation (Section 6.3 of [RFC9528]) needs to discontinue the protocol.

5. Privacy considerations

The way in which GREASE is applied can contribute to identifying which implementation of EDHOC is being used. Implementers of EDHOC are encouraged to use the algorithm described in Section 2.1.1, both to reduce the likelihood of their implementation to be identified through the use of GREASE and to increase the anonymity set of other users of the same algorithm.

6. Security Considerations

The use of GREASE has no impact on security in a correct EDHOC implementation.

As the application of GREASE contributes to an ecosystem that can have security updates deployed in the future, implementers of EDHOC are strongly encouraged to apply GREASE regularly whenever their operational constraints permit it.

7. IANA considerations

7.1. EDHOC EAD labels

IANA is requested to register four new entries into the EDHOC External Authorization Data Registry established in [RFC9528]:

160, 41120, 43690, 44975

All share the name "GREASE", the description "Arbitrary data to ensure extensibility", and this document as a reference.

7.2. EDHOC cipher suites

IANA is requested to register four new values into the EDHOC Cipher Suites Registry established in [RFC9528]:

160, 41120, -41121, 43690

All share the array N/A, the description "Unimplementable GREASE cipher suite to ensure extensibility", and this document as a reference.

8. References

8.1. Normative References

[RFC9528]
Selander, G., Preuß Mattsson, J., and F. Palombini, "Ephemeral Diffie-Hellman Over COSE (EDHOC)", RFC 9528, DOI 10.17487/RFC9528, , <https://www.rfc-editor.org/rfc/rfc9528>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

8.2. Informative References

[RFC8701]
Benjamin, D., "Applying Generate Random Extensions And Sustain Extensibility (GREASE) to TLS Extensibility", RFC 8701, DOI 10.17487/RFC8701, , <https://www.rfc-editor.org/rfc/rfc8701>.
[RFC9170]
Thomson, M. and T. Pauly, "Long-Term Viability of Protocol Extension Mechanisms", RFC 9170, DOI 10.17487/RFC9170, , <https://www.rfc-editor.org/rfc/rfc9170>.
[I-D.iab-protocol-greasing]
Pardue, L., Pauly, T., and D. Thaler, "Considerations For Maintaining Protocols Using Grease and Variability", Work in Progress, Internet-Draft, draft-iab-protocol-greasing-01, , <https://datatracker.ietf.org/doc/html/draft-iab-protocol-greasing-01>.
[I-D.ietf-core-comi]
Veillette, M., Van der Stok, P., Pelov, A., Bierman, A., and C. Bormann, "CoAP Management Interface (CORECONF)", Work in Progress, Internet-Draft, draft-ietf-core-comi-21, , <https://datatracker.ietf.org/doc/html/draft-ietf-core-comi-21>.

Appendix A. Using extension points beyond successful EDHOC runs

Some ways of using the extension points, in particular the use of critical GREASE EAD items and placing a GREASE cipher suite in the selected position do not result in the successful continuation of the EDHOC session.

They can be useful during testing (e.g., to verify that a peer does indeed implement the correct behavior of not silently tolerating critical EAD items it can not process), particularly when they allow a testing system to provoke an error response from the implementation under test. However, this document is concerned with test performed during successful operation, therefore that application is out of scope.

Appendix B. Change log

Since draft-ietf-lake-edhoc-grease-01: Address a WGLC comment that was missed.

Since draft-ietf-lake-edhoc-grease-01: Address WGLC comments.

Since draft-ietf-lake-edhoc-grease-00: Resolve all open issues.

Since draft-amsuess-lake-edhoc-grease-01:

Since draft-amsuess-lake-edhoc-grease-00:

Since draft-amsuess-core-edhoc-grease-01:

Since -00:

Acknowledgements

Marco Tiloca pointed out a critical error in the numeric constructions, and provided many general improvements. Göran Selander provided input to reduce mistakable text. Meiling Chen and Shujaatali Badami found places where the text did not provide the right guidance to readers.

Author's Address

Christian Amsüss
Austria