-
Notifications
You must be signed in to change notification settings - Fork 5
/
draft-ietf-suit-firmware-encryption.txt
3192 lines (2162 loc) · 109 KB
/
draft-ietf-suit-firmware-encryption.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
SUIT H. Tschofenig
Internet-Draft H-BRS
Intended status: Standards Track R. Housley
Expires: 10 June 2025 Vigil Security
B. Moran
Arm Limited
D. Brown
Linaro
K. Takayama
SECOM CO., LTD.
7 December 2024
Encrypted Payloads in SUIT Manifests
draft-ietf-suit-firmware-encryption-22
Abstract
This document specifies techniques for encrypting software, firmware,
machine learning models, and personalization data by utilizing the
IETF SUIT manifest. Key agreement is provided by ephemeral-static
(ES) Diffie-Hellman (DH) and AES Key Wrap (AES-KW). ES-DH uses
public key cryptography while AES-KW uses a pre-shared key.
Encryption of the plaintext is accomplished with conventional
symmetric key cryptography.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 June 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
Tschofenig, et al. Expires 10 June 2025 [Page 1]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Terminology . . . . . . . . . . . . . . . . . 4
3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Encryption Extensions . . . . . . . . . . . . . . . . . . . . 7
5. Extended Directives . . . . . . . . . . . . . . . . . . . . . 8
6. Content Key Distribution . . . . . . . . . . . . . . . . . . 10
6.1. Content Key Distribution with AES Key Wrap . . . . . . . 10
6.1.1. Introduction . . . . . . . . . . . . . . . . . . . . 10
6.1.2. Deployment Options . . . . . . . . . . . . . . . . . 11
6.1.3. CDDL . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2. Content Key Distribution with Ephemeral-Static
Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . 13
6.2.1. Introduction . . . . . . . . . . . . . . . . . . . . 13
6.2.2. Deployment Options . . . . . . . . . . . . . . . . . 13
6.2.3. CDDL . . . . . . . . . . . . . . . . . . . . . . . . 14
6.2.4. Context Information Structure . . . . . . . . . . . . 15
7. Content Encryption . . . . . . . . . . . . . . . . . . . . . 17
7.1. AES-GCM . . . . . . . . . . . . . . . . . . . . . . . . . 18
7.1.1. Introduction . . . . . . . . . . . . . . . . . . . . 19
7.1.2. AES-KW + AES-GCM Example . . . . . . . . . . . . . . 19
7.1.3. ECDH-ES+AES-KW + AES-GCM Example . . . . . . . . . . 20
7.2. AES-CTR . . . . . . . . . . . . . . . . . . . . . . . . . 22
7.2.1. Introduction . . . . . . . . . . . . . . . . . . . . 22
7.2.2. AES-KW + AES-CTR Example . . . . . . . . . . . . . . 23
7.2.3. ECDH-ES+AES-KW + AES-CTR Example . . . . . . . . . . 24
7.3. AES-CBC . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.3.1. Introduction . . . . . . . . . . . . . . . . . . . . 26
7.3.2. AES-KW + AES-CBC Example . . . . . . . . . . . . . . 27
7.3.3. ECDH-ES+AES-KW + AES-CBC Example . . . . . . . . . . 29
8. Integrity Check on Encrypted and Decrypted Payloads . . . . . 30
8.1. Validating Payload Integrity . . . . . . . . . . . . . . 31
8.1.1. Image Match after Decryption . . . . . . . . . . . . 31
8.1.2. Image Match before Decryption . . . . . . . . . . . . 31
8.1.3. Checking Authentication Tag while Decrypting . . . . 32
8.2. Payload Integrity Validation . . . . . . . . . . . . . . 32
9. Firmware Updates on IoT Devices with Flash Memory . . . . . . 34
10. Complete Examples . . . . . . . . . . . . . . . . . . . . . . 36
Tschofenig, et al. Expires 10 June 2025 [Page 2]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
10.1. AES Key Wrap Example with Write Directive . . . . . . . 37
10.2. AES Key Wrap Example with Fetch + Copy Directives . . . 39
10.3. ES-DH Example with Write + Copy Directives . . . . . . . 44
10.4. ES-DH Example with Dependency . . . . . . . . . . . . . 46
11. Operational Considerations . . . . . . . . . . . . . . . . . 51
12. Security Considerations . . . . . . . . . . . . . . . . . . . 52
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 54
14.1. Normative References . . . . . . . . . . . . . . . . . . 54
14.2. Informative References . . . . . . . . . . . . . . . . . 55
Appendix A. Full CDDL . . . . . . . . . . . . . . . . . . . . . 56
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 56
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56
1. Introduction
Vulnerabilities in Internet of Things (IoT) devices have highlighted
the need for a reliable and secure firmware update mechanism,
especially for constrained devices. To protect firmware images, the
SUIT manifest format was developed [I-D.ietf-suit-manifest]. A
manifest is a bundle of metadata about the firmware for an IoT
device, where to find the firmware, and the devices to which it
applies. [RFC9124] outlines the necessary information a SUIT
manifest has to provide. In addition to protecting against
modification via digital signatures or message authentication codes,
the format can also offer confidentiality.
Encryption prevents third parties, including attackers, from
accessing the payload. Attackers often require detailed knowledge of
a binary, such as a firmware image, to launch successful attacks.
For instance, return-oriented programming (ROP) [ROP] requires access
to the binary, and encryption makes writing exploits significantly
more difficult. Beyond ensuring the confidentiality of the binary
itself, protecting the confidentiality of the source code will also
be necessary to prevent reverse engineering and reproduction of the
firmware.
While the initial motivation for this document was firmware
encryption, the use of SUIT manifests has expanded to cover other
scenarios requiring integrity and confidentiality protection, such
as:
* software packages,
* personalization data,
* configuration data, and
Tschofenig, et al. Expires 10 June 2025 [Page 3]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
* machine learning models.
Thus, the term "payload" is used generically to refer to all these
objects.
The payload is encrypted using a symmetric content encryption key,
which can be established through various mechanisms. This document
defines two content key distribution methods for use with the IETF
SUIT manifest:
* Ephemeral-Static (ES) Diffie-Hellman (DH), and
* AES Key Wrap (AES-KW).
The first method relies on asymmetric cryptography, while the second
uses symmetric cryptography.
Our design aims to reduce the number of content key distribution
methods for payload encryption, thereby increasing interoperability
between different SUIT manifest parser implementations.
The goal of this specification is to protect payloads both during
end-to-end transport (from the distribution system to the device) and
at rest when stored on the device. Constrained devices often employ
eXecute In Place (XIP), a method of executing code directly from
flash memory rather than loading it into RAM. Many of these devices
lack hardware-based, on-the-fly decryption for code stored in flash
memory, which may require decrypting and storing firmware images in
on-chip flash before execution. However, we expect hardware-based,
on-the-fly decryption to become more common in the future, enhancing
confidentiality at rest.
2. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document assumes familiarity with the IETF SUIT manifest
[I-D.ietf-suit-manifest], the SUIT information model [RFC9124], and
the SUIT architecture [RFC9019].
The following abbreviations are used in this document:
* Key Wrap (KW), defined in [RFC3394] (for use with AES)
Tschofenig, et al. Expires 10 June 2025 [Page 4]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
* Key-Encryption Key (KEK) [RFC3394]
* Content-Encryption Key (CEK) [RFC5652]
* Ephemeral-Static (ES) Diffie-Hellman (DH) [RFC9052]
* Authenticated Encryption with Associated Data (AEAD)
* Execute in Place (XIP)
The terms sender and recipient have the following meaning:
* Sender: Entity that sends an encrypted payload.
* Recipient: Entity that receives an encrypted payload.
Additionally, we introduce the term "distribution system" (or
distributor) to refer to an entity that knows the recipients of
payloads. It is important to note that the distribution system is
far more than a file server. For use of encryption, the distribution
system either knows the public key of the recipient (for ES-DH), or
the KEK (for AES-KW).
The author, which is responsible for creating the payload, does not
know the recipients. The author may, for example, be a developer
building a firmware image.
The author and the distribution system are logical roles. In some
deployments these roles are separated in different physical entities
and in others they are co-located.
3. Architecture
[RFC9019] outlines the architecture for distributing payloads and
manifests from an author to devices. However, it does not cover
payload encryption in detail. This document extends that
architecture to support encryption, as illustrated in Figure 1.
To encrypt a payload, it is essential to know the recipient. For
AES-KW, the Key Encryption Key (KEK) must be known, and for ES-DH,
the sender needs access to the recipient's public key. This public
key and its associated parameters may be found in the recipient's
X.509 certificate [RFC5280]. For authentication and integrity
protection, recipients must be provisioned with a trust anchor when
the manifest is protected by a digital signature. If a MAC is used
for manifest protection, a symmetric key must be shared between the
recipient and the sender.
Tschofenig, et al. Expires 10 June 2025 [Page 5]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
With encryption, the author cannot simply create and sign a manifest
for the payload, as the recipients are often unknown. Therefore, the
author must collaborate with the distribution system. The degree of
this collaboration is discussed below.
The primary purpose of encryption is to protect against adversaries
along the path between the distribution system and the device. There
is also a risk that adversaries may extract the decrypted firmware
image from the device itself. Consequently, the device must be
safeguarded against physical attacks, though such countermeasures are
typically beyond the scope of IETF specifications.
Note: It is assumed that the communication between the author and the
distribution system is secure. For example, the author might upload
the manifest and firmware image to the distribution system using a
secure HTTPS REST API.
+----------+
| Device | +----------+
| 1 |<--+ | Author |
| | | +----------+
+----------+ | |
| | Payload +
| | Manifest
| v
+----------+ | +--------------+
| Device | | Payload + Manifest | Distribution |
| 2 |<--+------------------------| System |
| | | +--------------+
+----------+ |
|
... |
|
+----------+ |
| Device | |
| n |<--+
| |
+----------+
Figure 1: Architecture for the distribution of Encrypted Payloads.
When the author delegates encryption rights to the distributor, two
models are possible:
1. Replacing the COSE_Encrypt and Re-signing the Manifest: The
distributor replaces the COSE_Encrypt structure in the manifest
and then signs the manifest again. However, since the
COSE_Encrypt structure is within a signed container, this
Tschofenig, et al. Expires 10 June 2025 [Page 6]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
presents a challenge: replacing COSE_Encrypt alters the digest of
the manifest, thereby invalidating the signature. As a result,
the distributor must be able to sign the new manifest. If this
is the case, the distributor gains the authority to construct and
sign manifests, effectively allowing them to sign code and giving
them full control over the recipient. Distributors typically
perform re-encryption online to manage large numbers of devices
efficiently, which prevents air-gapping the signing operations.
This has implications for the recommendations in Section 4.3.17
of [RFC9124]. Despite these issues, this model represents the
current standard practice for IoT firmware updates.
2. Two-Layer Manifest System: The distributor creates a new manifest
that overrides the COSE_Encrypt using the dependency system
defined in [I-D.ietf-suit-trust-domains]. This method introduces
additional overhead, including one more signature verification,
one extra manifest, and the need for extra mechanisms on the
recipient side to handle dependency processing. While this adds
complexity, it also enhances security.
These two models offer different threat profiles for the distributor.
If the distributor is limited to encryption rights, an attacker who
breaches the distributor can only launch a limited attack by
encrypting a modified binary. However, recipients will detect the
attack during the image digest check and immediately revert to the
correct image.
It is RECOMMENDED that distributors adopt the two-layer manifest
approach to distribute content encryption keys without re-signing the
manifest, despite the added complexity and the increased number of
signature verifications required on the recipient side.
4. Encryption Extensions
This specification introduces a new extension to the SUIT_Parameters
structure.
The SUIT_Encryption_Info structure (referred to as suit-parameter-
encryption-info in Figure 2) contains the content key distribution
information. The details of the SUIT_Encryption_Info structure are
provided in Section 6.1 (for AES-KW) and Section 6.2 (for ES-DH).
Once a CEK is available, the steps outlined in Section 7 apply to
both content key distribution methods described in this section.
Tschofenig, et al. Expires 10 June 2025 [Page 7]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
The SUIT_Encryption_Info structure is carried within either the suit-
directive-override-parameters or suit-directive-set-parameters used
in the "Directive Write" and "Directive Copy" operations. An
implementation conforming to this specification must support these
two parameters.
Interoperability requirements for content key distribution methods
vary: since a device will typically support only one of the two
specified methods, the distribution system needs to know which method
is supported. Limiting a constrained device to a single content key
distribution method also helps reduce code size.
SUIT_Parameters //= (suit-parameter-encryption-info
=> bstr .cbor SUIT_Encryption_Info)
suit-parameter-encryption-info = TBD19
Figure 2: CDDL of the SUIT_Parameters Extension.
RFC Editor's Note (TBD19): The value for the suit-parameter-
encryption-info parameter is set to 19, as the proposed value.
5. Extended Directives
This specification extends the following directives:
* Directive Write (suit-directive-write): Used to decrypt the
content specified by suit-parameter-content using suit-parameter-
encryption-info.
* Directive Copy (suit-directive-copy): Used to decrypt the content
of the component specified by suit-parameter-source-component
using suit-parameter-encryption-info.
Examples of these two directives are provided below, focusing on the
essential aspects. A complete example for AES Key Wrap with the
Fetch and Copy directives can be found in Section 10.2, while an
example illustrating the Write directive is shown in Section 10.1.
Figure 3 illustrates the Directive Write. The encrypted payload
specified by parameter-content, represented as h'EA1...CED' in the
example, is decrypted using the SUIT_Encryption_Info structure
referenced by parameter-encryption-info, i.e., h'D86...1F0'. The
resulting plaintext payload is then stored in component #0.
Tschofenig, et al. Expires 10 June 2025 [Page 8]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
/ directive-override-parameters / 20, {
/ parameter-content / 18: h'EA1...CED',
/ parameter-encryption-info / TBD19: h'D86...1F0'
},
/ directive-write / 18, 15
Figure 3: Example showing the extended suit-directive-write.
RFC Editor's Note (TBD19): The value for the parameter-encryption-
info parameter is set to 19, as the proposed value.
Figure 4 illustrates the Directive Copy. In this example the
encrypted payload is found at the URI indicated by the parameter-uri,
i.e., "http://example.com/encrypted.bin". The encrypted payload will
be downloaded and stored in component #1. Then, the information in
the SUIT_Encryption_Info structure referred to by parameter-
encryption-info, i.e., h'D86...1F0', will be used to decrypt the
content in component #1 and the resulting plaintext payload will be
stored into component #0.
/ directive-set-component-index / 12, 1,
/ directive-override-parameters / 20, {
/ parameter-uri / 21: "http://example.com/encrypted.bin",
},
/ directive-fetch / 21, 15,
/ directive-set-component-index / 12, 0,
/ directive-override-parameters / 20, {
/ parameter-encryption-info / TBD19: h'D86...1F0',
/ parameter-source-component / 22: 1
},
/ directive-copy / 22, 15
Figure 4: Example showing the extended suit-directive-copy.
RFC Editor's Note (TBD19): The value for the suit-parameter-
encryption-info parameter is set to 19, as the proposed value.
The payload to be encrypted may be detached and, in that case, it is
not covered by the digital signature or the MAC protecting the
manifest. (To be more precise, the suit-authentication-wrapper found
in the envelope contains a digest of the manifest in the SUIT Digest
Container.)
The lack of authentication and integrity protection of the payload is
particularly a concern when a cipher without integrity protection is
used.
Tschofenig, et al. Expires 10 June 2025 [Page 9]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
To provide authentication and integrity protection of the payload in
the detached payload case a SUIT Digest Container with the hash of
the encrypted and/or plaintext payload MUST be included in the
manifest. See suit-parameter-image-digest parameter in
Section 8.4.8.6 of [I-D.ietf-suit-manifest].
Once a CEK is available, the steps described in Section 7 are
applicable. These steps apply to both content key distribution
methods.
6. Content Key Distribution
The following sub-sections describe two content key distribution
methods: AES Key Wrap (AES-KW) and Ephemeral-Static Diffie-Hellman
(ES-DH). While many other methods are specified in the literature
and supported by COSE, AES-KW and ES-DH were chosen for their
widespread use in the market today. They were selected for their
maturity, differing security properties, and strong interoperability.
Both content key distribution methods require the CEKs to be randomly
generated. The guidelines for random number generation in [RFC8937]
MUST be followed.
When sending an encrypted payload to multiple recipients, various
deployment options are available. The following notation is used to
explain these options:
- KEK[R1, S] refers to a KEK shared between recipient R1 and
the sender S.
- CEK[R1, S] refers to a CEK shared between R1 and S.
- CEK[*, S] or KEK[*, S] are used when a single CEK or a single
KEK is shared with all authorized recipients by a given sender
S in a certain context.
- ENC(plaintext, k) refers to the encryption of plaintext with
a key k.
6.1. Content Key Distribution with AES Key Wrap
6.1.1. Introduction
The AES Key Wrap (AES-KW) algorithm, as described in [RFC3394], is
used to encrypt a randomly generated content-encryption key (CEK)
with a pre-shared key-encryption key (KEK). The COSE conventions for
using AES-KW are specified in Section 8.5.2 of [RFC9052] and in
Section 6.2.1 of [RFC9053]. The encrypted CEK is carried within the
COSE_recipient structure , which includes the necessary information
for AES-KW. The COSE_recipient structure, a substructure of
COSE_Encrypt, contains the CEK encrypted by the KEK.
Tschofenig, et al. Expires 10 June 2025 [Page 10]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
To ensure high security when using AES Key Wrap, it is important that
the KEK is of high entropy and that implementations protect the KEK
from disclosure. A compromised KEK could expose all data encrypted
with it, including binaries and configuration data.
The COSE_Encrypt structure conveys the information needed to encrypt
the payload, including details such as the algorithm and IV. Even
though the payload may be conveyed as detached content, the
encryption information is still embedded in the
COSE_Encrypt.ciphertext structure.
6.1.2. Deployment Options
There are three deployment options for use with AES Key Wrap for
payload encryption:
* If all recipients (typically of the same product family) share the
same KEK, a single COSE_recipient structure contains the encrypted
CEK. The sender executes the following steps:
1. Fetch KEK[*, S]
2. Generate CEK
3. ENC(CEK, KEK)
4. ENC(payload, CEK)
This deployment option is strongly discouraged. An attacker gaining
access to the KEK will be able to encrypt and send payloads to all
recipients configured to use this KEK.
* If recipients have different KEKs, then multiple COSE_recipient
structures are included but only a single CEK is used. Each
COSE_recipient structure contains the CEK encrypted with the KEKs
appropriate for a given recipient. The benefit of this approach
is that the payload is encrypted only once with a CEK while there
is no sharing of the KEK across recipients. Hence, authorized
recipients still use their individual KEK to decrypt the CEK and
to subsequently obtain the plaintext. The steps taken by the
sender are:
1. Generate CEK
2. for i=1 to n
{
2a. Fetch KEK[Ri, S]
2b. ENC(CEK, KEK[Ri, S])
}
3. ENC(payload, CEK)
Tschofenig, et al. Expires 10 June 2025 [Page 11]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
* The third option is to use different CEKs encrypted with KEKs of
authorized recipients. This approach is appropriate when no
benefits can be gained from encrypting and transmitting payloads
only once. Assume there are n recipients with their unique KEKs -
KEK[R1, S], ..., KEK[Rn, S] and unique CEKs. The sender needs to
execute the following steps:
1. for i=1 to n
{
1a. Fetch KEK[Ri, S]
1b. Generate CEK[Ri, S]
1c. ENC(CEK[Ri, S], KEK[Ri, S])
1d. ENC(payload, CEK[Ri, S])
2. }
6.1.3. CDDL
The CDDL for the AES-KW binary is shown in Figure 5.
empty_or_serialized_map and header_map are structures defined in
[RFC9052].
=============== NOTE: '\' line wrapping per RFC 8792 ================
SUIT_Encryption_Info_AESKW = #6.96([
protected : outer_header_map_protected,
unprotected : outer_header_map_unprotected,
ciphertext : bstr / nil,
recipients : [ + COSE_recipient_AESKW ]
])
outer_header_map_protected = empty_or_serialized_map
outer_header_map_unprotected = header_map
COSE_recipient_AESKW = [
protected : bstr .size 0 / bstr .cbor empty_map,
unprotected : recipient_header_unpr_map_aeskw,
ciphertext : bstr ; CEK encrypted with KEK
]
empty_map = {}
recipient_header_unpr_map_aeskw =
{
1 => int, ; algorithm identifier
? 4 => bstr, ; identifier of the KEK pre-shared with the \
recipient
* label => values ; extension point
}
Tschofenig, et al. Expires 10 June 2025 [Page 12]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
Figure 5: CDDL for AES-KW-based Content Key Distribution
Note that the AES-KW algorithm, as defined in Section 2.2.3.1 of
[RFC3394], does not have public parameters that vary on a per-
invocation basis. Hence, the protected header in the COSE_recipient
structure is a byte string of zero length.
6.2. Content Key Distribution with Ephemeral-Static Diffie-Hellman
6.2.1. Introduction
Ephemeral-Static Diffie-Hellman (ES-DH) is a public key encryption
scheme that enables encryption using the recipient's public key.
There are several variations of this scheme; this document adopts the
version specified in Section 8.5.5 of [RFC9052].
The structure is composed of two layers:
* Layer 0: Contains content encrypted with a Content Encryption Key
(CEK). The content may be provided separately.
* Layer 1: Uses the AES Key Wrap (AES-KW) algorithm to encrypt the
randomly generated CEK with a Key Encryption Key (KEK) derived via
ES-DH. The resulting symmetric key is processed through an HKDF-
based key derivation function [RFC5869].
This two-layer structure combines ES-DH with AES-KW and HKDF,
referred to as ECDH-ES + AES-KW. An example can be found in
Figure 10.
Another variant of the ES-DH algorithm, called ECDH-ES + HKDF, does
not utilize AES Key Wrap. However, this version is not covered in
this document.
6.2.2. Deployment Options
This approach supports only two deployment options, as it assumes
that each recipient is always equipped with a device-specific public/
private key pair.
* When a sender transmits a payload to multiple recipients, all
recipients receive the same encrypted payload, meaning the same
CEK is used to encrypt the content. For each recipient, a
separate COSE_recipient structure is used, which contains the CEK
encrypted with the recipient-specific KEK. To derive the KEK,
each COSE_recipient structure includes a COSE_recipient_inner
structure that carries the sender's ephemeral key and an
identifier for the recipient's public key.
Tschofenig, et al. Expires 10 June 2025 [Page 13]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
The steps taken by the sender are:
1. Generate CEK
2. for i=1 to n
{
2a. Generate KEK[Ri, S] using ES-DH
2b. ENC(CEK, KEK[Ri, S])
}
3. ENC(payload,CEK)
* The alternative is to encrypt the payload with a unique CEK for
each recipient, resulting in multiple manifests. This approach is
useful when payloads contain device-specific information. In this
case, the encryption operation becomes ENC(payload_i, CEK[Ri, S])
where each recipient Ri receives a unique CEK. Assume that
KEK[R1, S],..., KEK[Rn, S] have been generated for the recipients
using ES-DH. The sender must then follow these steps:
1. for i=1 to n
{
1a. Generate KEK[Ri, S] using ES-DH
1b. Generate CEK[Ri, S]
1c. ENC(CEK[Ri, S], KEK[Ri, S])
1d. ENC(payload, CEK[Ri, S])
}
6.2.3. CDDL
The CDDL for the ECDH-ES+AES-KW binary is provided in Figure 6. Only
the essential parameters are included. The structures
empty_or_serialized_map and header_map are defined in [RFC9052].
Tschofenig, et al. Expires 10 June 2025 [Page 14]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
SUIT_Encryption_Info_ESDH = #6.96([
protected : outer_header_map_protected,
unprotected : outer_header_map_unprotected,
ciphertext : bstr / nil,
recipients : [ + COSE_recipient_ESDH ]
])
outer_header_map_protected = empty_or_serialized_map
outer_header_map_unprotected = header_map
COSE_recipient_ESDH = [
protected : bstr .cbor recipient_header_map_esdh,
unprotected : recipient_header_unpr_map_esdh,
ciphertext : bstr ; CEK encrypted with KEK
]
recipient_header_map_esdh =
{
1 => int, ; algorithm identifier
* label => values ; extension point
}
recipient_header_unpr_map_esdh =
{
? 4 => bstr, ; identifier of the recipient public key
-1 => COSE_Key, ; ephemeral public key for the sender
* label => values ; extension point
}
Figure 6: CDDL for ES-DH-based Content Key Distribution
See Section 7 for a description on how to encrypt the payload.
6.2.4. Context Information Structure
The context information structure ensures that the derived keying
material is "bound" to the specific context of the transaction. This
specification reuses the structure defined in Section 5.2 of
[RFC9053], with modifications to fit the current use case.
The following elements are bound to the context:
* the protocol employing the key-derivation method,
* information about the utilized AES Key Wrap algorithm, and the key
length.
Tschofenig, et al. Expires 10 June 2025 [Page 15]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
* the protected header field, which contains the content key
encryption algorithm.
The sender and recipient identities are left empty.
The following fields in Figure 7 require an explanation:
* The COSE_KDF_Context.AlgorithmID field MUST contain the identifier
for the AES Key Wrap algorithm being used. This specification
uses the following values: A128KW (value -3), A192KW (value -4),
or A256KW (value -5)
* The COSE_KDF_Context.SuppPubInfo.keyDataLength field MUST specify
the key length, in bits, corresponding to the algorithm in the
AlgorithmID field. For A128KW the value is 128, for A192KW the
value is 192, and for A256KW the value 256.
* The COSE_KDF_Context.SuppPubInfo.other field captures the protocol
that uses the ES-DH content key distribution algorithm. It MUST
be set to the constant string "SUIT Payload Encryption".
* The COSE_KDF_Context.SuppPubInfo.protected field MUST contain the
serialized content of the recipient_header_map_esdh field, which
contains (among other elements) the identifier of the content key
distribution method.
Tschofenig, et al. Expires 10 June 2025 [Page 16]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
COSE_KDF_Context = [
AlgorithmID : int,
PartyUInfo : [ PartyInfoSender ],
PartyVInfo : [ PartyInfoRecipient ],
SuppPubInfo : [
keyDataLength : uint,
protected : bstr,
other: 'SUIT Payload Encryption'
],
? SuppPrivInfo : bstr
]
PartyInfoSender = (
identity : nil,
nonce : nil,
other : nil
)
PartyInfoRecipient = (
identity : nil,
nonce : nil,
other : nil
)
Figure 7: CDDL for COSE_KDF_Context Structure
The HKDF-based key derivation function MAY contain a salt value, as
described in Section 5.1 of [RFC9053]. This optional value
influences the key generation process, though this specification does
not require the use of a salt. If the salt is public and included in
the message, the "salt" algorithm header parameter MUST be used. The
salt adds extra randomness to the KDF context. When the salt is
transmitted via the "salt" algorithm header parameter, the receiver
MUST be capable of processing it and MUST pass it into the key
derivation function. For more details on salt usage, refer to
[RFC5869] and NIST SP800-56 [SP800-56].
Profiles of this specification MAY define an extended version of the
context information structure or MAY employ a different context
information structure.
7. Content Encryption
This section summarizes the steps involved in content encryption,
applicable to both content key distribution methods.
Tschofenig, et al. Expires 10 June 2025 [Page 17]
Internet-Draft Encrypted Payloads in SUIT Manifests December 2024
When using AEAD ciphers, such as AES-GCM or ChaCha20/Poly1305, the
COSE specification requires a consistent byte stream to create the
authenticated data structure. This structure is illustrated in
Figure 8 and defined in Section 5.3 of [RFC9052].
Enc_structure = [
context : "Encrypt",
protected : empty_or_serialized_map,
external_aad : bstr
]
Figure 8: CDDL for Enc_structure Data Structure
This Enc_structure must be populated as follows:
* The protected field in the Enc_structure from Figure 8 refers to
the content of the protected field in the COSE_Encrypt structure.
* The value of external_aad MUST be set to a zero-length byte
string, represented as h'' in diagnostic notation and encoded as
0x40.
Some ciphers, such as AES-CTR and AES-CBC, provide confidentiality
without integrity protection (see [RFC9459]). For these ciphers, the
Enc_structure shown in Figure 8 cannot be used, as the Additional
Authenticated Data (AAD) byte string is only applicable to AEAD
ciphers. Therefore, the AAD structure is not passed to the API for
these ciphers, and the protected header in the SUIT_Encryption_Info
structure MUST be a zero-length byte string.
AES-CTR and AES-CBC are discussed in separate sub-sections below and
Figure 11 and Figure 14 use the following abbreviations:
* Pi = Plaintext blocks
* Ci = Ciphertext blocks
* E = Encryption function
* k = Symmetric key
* ⊕ = XOR operation
7.1. AES-GCM