OSCORE support in Leshan #725
Comments
sbernard31
added
client
|
Tentative plan for next steps:
|
|
I have now created PR #749 to update the code to use Californium 2.0.0-M17 instead. I will create a new PR to change the OSCORE context database to not be a singleton in Leshan anymore. |
|
I have now made a PR that adds support for setting OSCORE related security parameters in command line arguments to the client here #755 |
|
I add this link : https://omaspecworks.org/end-to-end-security-for-the-internet-of-things/ about this topic. |
Thanks for providing a link to that document. Nice to see it also brings up ACE and EDHOC. I am following the work in the IETF LAKE working group (for creating a lightweight authenticated key exchange for OSCORE). ACE is also something we are using in various use cases. |
|
Continuing the discussion from the last PR. On a very high level the initial goal for me would be support for communicating with OSCORE between Client & Device Manager, communicating with OSCORE between Client & Bootstrap Server, and a Client being able receive bootstrapping information with OSCORE security material from the Bootstrap Server. Currently the first two points functionally work (but needs adjustments). As a bit more detailed plan these are points I can think of:
In the end I think it's better to rebase the code now, otherwise it would be even more potential conflicts in the future. As you mentioned in the last PR we should also discuss considerations related to the OSCORE store. I could create a separate issue about that. |
About rebasing, maybe in practice it would be easier to cherry pick only needed commits (probably avoiding all which is not about OSCORE like SenML and californium integration?). As this will be really painful and as I feel myself a bit responsible for that. I would try to work on this.
👍 |
|
@rikard-sics I started to work on rebasing, I create a dedicated issue to discuss about that : #866 |
|
I have now created a PR to remove the ID context inputs as we discussed. See #867 |
|
Some further comments now after the rebase. One thought I had was that it may be good to add some JUnit tests for OSCORE functionality? Then I also realized an inconsistency. The way that Sender ID and Recipient ID are entered on the web UI for the Bootstrap Server and Management Server are opposite. Probably since the UI is for adding and configuring a new client it is better if the Sender ID and Recipient ID are from the client's point of view. I can make a change like that in the future. So some further steps can be:
Also I will be fairly inactive now during August since I will be going on vacation. |
It sounds good to me.
Me too at least the first 2 weeks of August :) |
|
Just to summarize the lists of next steps above with the points taken care of removed:
|
I have now created an issue for further discussion about an OSCORE store at #920. |
|
Hello Leshan Community. Could anyone kindly help me to understand why I have faced the following fails when using server-client connections in OSCORE mode after the client is registered on the server.
|
Hello. I have been working on adding OSCORE support to Leshan. Thank you for the feedback regarding this functionality. Let me try to reply to the points you list.
|
I have now submitted a pull request that should also solve this issue. |
|
Rikard, During the '*demo.jar' making process I faced the error on '[INFO] leshan - integration tests ......................... FAILURE [ 11.396 s]' step. But I succeed the making with '-fn' option. The log for debugging purpose with '-e -X' is here. You mentioned that the OSCORE mode was added for DM account on the Bootstrap server and actually I could add it but NO_SEC mode is shown (due to it is not implemented yet). Is there a way to perform the Bootstrapping on the current stage from command line? |
|
Please ignore my question concerning the ability of the Bootstrap procedure. The client was successfully bootstrapped and reachable on DM server. The only issue is this 'Failed to retrieve OSCORE object linked from BS security object' line. Is it acceptable? BS: java -jar leshan-bsserver-demo/target/leshan-bsserver-demo--SNAPSHOT-jar-with-dependencies.jar -lp 5693 -slp 5694 2020-12-22 15:52:03,896 INFO LeshanClient - Starting Leshan client ... |
I guess it could be an issue relative to #950 (comment).
I also face the tests failure I this this is because of : #950 (comment) |
Thanks for the feedback. I have now updated the PR and code in my branch to fix this. |
|
@rikard-sics We didn't get news from you since a long time. |
Hello. Yes I am indeed working on OSCORE. Currently I am working on implementing usage of the OSCORE Appendix B.2 procedure when OSCORE is used in Leshan. It is specified in the LWM2M 1.1 Transport Bindings document section 5.5.3 that Appendix B.2 of OSCORE should be used. Basically Appendix B.2 derives a new OSCORE Security Context (with new Sender and Recipient keys). The benefit this has is that if a LWM2M client reboots and starts using the same Security Context that it was originally configured with, it will not be using the same Sender Key while starting over from sequence number 0 (thus having nonce and key reuse). But rather it will first run Appendix B.2 to generate a new Context (Sender and Recipient keys) with the LWM2M Server or LWM2M Bootstrap server. So essentially every time the client connects the first time using OSCORE to a LWM2M Server or LWM2M Bootstrap server, Appendix B.2 will be run. See https://tools.ietf.org/html/rfc8613#appendix-B.2 However, the core functionality for Appendix B.2 is implemented in Californium. While trying to make use of this in Leshan I realized there was an issue in the Californium code, in the specific case the client takes initiative to run Appendix B.2 but the server is then the first to actually send a request afterwards (as will happen when bootstrapping or registering). So basically I am now working on the Californium code to fix this issue (and some other things about Appendix B.2). My aim is to have a PR created for Californium in the coming week. Then I will move over to implement this in Leshan (perhaps I can have an intermediate solution until Californium releases a new version). One nice benefit of having this Appendix B.2 functionality-wise is also that currently if the client is restarted but the server is not, the server will complain about replayed messages. But since Appendix B.2 refreshes the security contexts this problem will no longer exist. |
@rikard-sics, I get you are very busy and if you succeed to find some time please to not hesitate to give us some feedback. I list here some recent comments which probably need a feedback from you : @Michal-Wadowski is already very involved on this and I will try to imply more too, hoping we will be able to get a Minimal viable OSCORE feature integrated in master. I think a plan could be :
|
|
I just rebased oscore branch on current master in PR #1201. |
Yes I apologize for the absence. I should now be coming into a period where I can put more time into this work. I think one of the key points is considering how the OSCORE store is to be implemented. I also want to thank @Michal-Wadowski for his interest and contributions to this work, it is very appreciated. |
Signed-off-by: Rikard Höglund <rikard.hoglund@ri.se> Also-by: Simon Bernard <sbernard@sierrawireless.com> Also-by: Michał Wadowski <Michal.Wadowski@orange.com>
I integrated this (#1201 (comment))
No problem 😉
I agree. |
|
I will start to work on re-implementing the demo part of OSCORE feature (#1203). |
Thanks, sounds great! |
Signed-off-by: Rikard Höglund <rikard.hoglund@ri.se> Also-by: Simon Bernard <sbernard@sierrawireless.com> Also-by: Michał Wadowski <Michal.Wadowski@orange.com>
Signed-off-by: Rikard Höglund <rikard.hoglund@ri.se> Also-by: Simon Bernard <sbernard@sierrawireless.com> Also-by: Michał Wadowski <Michal.Wadowski@orange.com>
Signed-off-by: Rikard Höglund <rikard.hoglund@ri.se> Also-by: Simon Bernard <sbernard@sierrawireless.com> Also-by: Michał Wadowski <Michal.Wadowski@orange.com>
|
Hi, sorry for asking again, but do you have any OSCORE status update? I noticed the commit from a week ago, but do you know approximately when OSCORE will be available on Client/Server/Bootstrap Server? |
I guess it depends what you mean by "OSCORE will be available on Client/Server/Bootstrap Server" But anyway, keep in mind that this first version will probably not be production ready. |
|
Ok, thanks for the information 👍 |
Signed-off-by: Rikard Höglund <rikard.hoglund@ri.se> Also-by: Simon Bernard <sbernard@sierrawireless.com> Also-by: Michał Wadowski <Michal.Wadowski@orange.com>
Signed-off-by: Rikard Höglund <rikard.hoglund@ri.se> Also-by: Simon Bernard <sbernard@sierrawireless.com> Also-by: Michał Wadowski <Michal.Wadowski@orange.com>
|
OSCORE experimental support in now integrated in I also updated |
|
I list some missing point about a minimal viable feature : |
|
@rikard-sics, we don't get so much news from you since a long time. I really hope you're doing well. 🙂 Please do not hesitate to give us some news from you. |
Yes, sorry for the period of silence. I have been busy mostly with other unrelated things. As for Californium I have prepared code for updating the Appendix B.2 functionality, after doing interop testing with another implementer. I intend to create a PR for that to Californium in the near future. Currently I am working on wrapping up a paper, when that is done (a matter of weeks) I hope to have more time to get back to the work related to Leshan. |
|
@rikard-sics, just to let you know that we are experimenting java-coap (fork) as californium alternative. (#1373) By the way, @szysas does OSCORE (RFC8613) could be part of java-coap scope ? (this is a more a long term question) |
|
Yes, it could be, but so far no work has been done nor started. |
I see, thanks for the update. I will have a look at that library. |
This issue aims to centralize all about OSCORE integration in Leshan 2.0.0(LWM2M 1.1).
Currently work is in progress leading by @rikard-sics, he also works on OSCORE integration in Californium.
See specification for more details :
The code will be available in a
oscorebranch, waiting we have a minimal viable feature which could be integrated in a 2.0.0 branch.A minimal viable feature could be :
(Demo are not mandatory for a minimal viable feature but integration test should be there)
The text was updated successfully, but these errors were encountered: