-
Notifications
You must be signed in to change notification settings - Fork 5
/
draft-ietf-suit-firmware-encryption.xml
3400 lines (3014 loc) · 153 KB
/
draft-ietf-suit-firmware-encryption.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.20 (Ruby 3.0.2) -->
<!DOCTYPE rfc [
<!ENTITY nbsp " ">
<!ENTITY zwsp "​">
<!ENTITY nbhy "‑">
<!ENTITY wj "⁠">
]>
<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<?rfc toc_levels="4"?>
<rfc ipr="trust200902" docName="draft-ietf-suit-firmware-encryption-22" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true">
<front>
<title abbrev="Encrypted Payloads in SUIT Manifests">Encrypted Payloads in SUIT Manifests</title>
<author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
<organization abbrev="H-BRS">University of Applied Sciences Bonn-Rhein-Sieg</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="R." surname="Housley" fullname="Russ Housley">
<organization abbrev="Vigil Security">Vigil Security, LLC</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="B." surname="Moran" fullname="Brendan Moran">
<organization>Arm Limited</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="D." surname="Brown" fullname="David Brown">
<organization>Linaro</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<author initials="K." surname="Takayama" fullname="Ken Takayama">
<organization>SECOM CO., LTD.</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<date year="2024" month="December" day="07"/>
<area>Security</area>
<workgroup>SUIT</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<?line 95?>
<t>This document specifies techniques for encrypting software, firmware,
machine learning models, and personalization data by utilizing the IETF
SUIT manifest. Key agreement is provided by ephemeral-static (ES)
Diffie-Hellman (DH) and AES Key Wrap (AES-KW). ES-DH uses public key
cryptography while AES-KW uses a pre-shared key. Encryption of the
plaintext is accomplished with conventional symmetric key cryptography.</t>
</abstract>
</front>
<middle>
<?line 104?>
<section anchor="introduction"><name>Introduction</name>
<t>Vulnerabilities in Internet of Things (IoT) devices have highlighted the need for a reliable and secure firmware update mechanism, especially for constrained devices. To protect firmware images, the SUIT manifest format was developed <xref target="I-D.ietf-suit-manifest"/>. A manifest is a bundle of metadata about the firmware for an IoT device, where to find the firmware, and the devices to which it applies. <xref target="RFC9124"/> outlines the necessary information a SUIT manifest has to provide. In addition to protecting against modification via digital signatures or message authentication codes, the format can also offer confidentiality.</t>
<t>Encryption prevents third parties, including attackers, from accessing the payload. Attackers often require detailed knowledge of a binary, such as a firmware image, to launch successful attacks. For instance, return-oriented programming (ROP) <xref target="ROP"/> requires access to the binary, and encryption makes writing exploits significantly more difficult. Beyond ensuring the confidentiality of the binary itself, protecting the confidentiality of the source code will also be necessary to prevent reverse engineering and reproduction of the firmware.</t>
<t>While the initial motivation for this document was firmware encryption, the use of SUIT manifests has expanded to cover other scenarios requiring integrity and confidentiality protection, such as:</t>
<t><list style="symbols">
<t>software packages,</t>
<t>personalization data,</t>
<t>configuration data, and</t>
<t>machine learning models.</t>
</list></t>
<t>Thus, the term "payload" is used generically to refer to all these objects.</t>
<t>The payload is encrypted using a symmetric content encryption key, which can be established through various mechanisms. This document defines two content key distribution methods for use with the IETF SUIT manifest:</t>
<t><list style="symbols">
<t>Ephemeral-Static (ES) Diffie-Hellman (DH), and</t>
<t>AES Key Wrap (AES-KW).</t>
</list></t>
<t>The first method relies on asymmetric cryptography, while the second uses symmetric cryptography.</t>
<t>Our design aims to reduce the number of content key distribution methods for payload encryption, thereby increasing interoperability between different SUIT manifest parser implementations.</t>
<t>The goal of this specification is to protect payloads both during end-to-end transport (from the distribution system to the device) and at rest when stored on the device. Constrained devices often employ eXecute In Place (XIP), a method of executing code directly from flash memory rather than loading it into RAM. Many of these devices lack hardware-based, on-the-fly decryption for code stored in flash memory, which may require decrypting and storing firmware images in on-chip flash before execution. However, we expect hardware-based, on-the-fly decryption to become more common in the future, enhancing confidentiality at rest.</t>
</section>
<section anchor="conventions-and-terminology"><name>Conventions and Terminology</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
<t>This document assumes familiarity with the IETF SUIT manifest <xref target="I-D.ietf-suit-manifest"/>,
the SUIT information model <xref target="RFC9124"/>, and the SUIT architecture <xref target="RFC9019"/>.</t>
<t>The following abbreviations are used in this document:</t>
<t><list style="symbols">
<t>Key Wrap (KW), defined in <xref target="RFC3394"/> (for use with AES)</t>
<t>Key-Encryption Key (KEK) <xref target="RFC3394"/></t>
<t>Content-Encryption Key (CEK) <xref target="RFC5652"/></t>
<t>Ephemeral-Static (ES) Diffie-Hellman (DH) <xref target="RFC9052"/></t>
<t>Authenticated Encryption with Associated Data (AEAD)</t>
<t>Execute in Place (XIP)</t>
</list></t>
<t>The terms sender and recipient have the following meaning:</t>
<t><list style="symbols">
<t>Sender: Entity that sends an encrypted payload.</t>
<t>Recipient: Entity that receives an encrypted payload.</t>
</list></t>
<t>Additionally, we introduce the term "distribution system" (or distributor)
to refer to an entity that knows the recipients of payloads. It is important
to note that the distribution system is far more than a file server. For
use of encryption, the distribution system either knows the public key
of the recipient (for ES-DH), or the KEK (for AES-KW).</t>
<t>The author, which is responsible for creating the payload, does not
know the recipients. The author may, for example, be a developer building
a firmware image.</t>
<t>The author and the distribution system are logical roles. In some
deployments these roles are separated in different physical entities
and in others they are co-located.</t>
</section>
<section anchor="arch"><name>Architecture</name>
<t><xref target="RFC9019"/> outlines the architecture for distributing payloads and manifests from an author to devices. However, it does not cover payload encryption in detail. This document extends that architecture to support encryption, as illustrated in <xref target="arch-fig"/>.</t>
<t>To encrypt a payload, it is essential to know the recipient. For AES-KW, the Key Encryption Key (KEK) must be known, and for ES-DH, the sender needs access to the recipient's public key. This public key and its associated parameters may be found in the recipient's X.509 certificate <xref target="RFC5280"/>. For authentication and integrity protection, recipients must be provisioned with a trust anchor when the manifest is protected by a digital signature. If a MAC is used for manifest protection, a symmetric key must be shared between the recipient and the sender.</t>
<t>With encryption, the author cannot simply create and sign a manifest for the payload, as the recipients are often unknown. Therefore, the author must collaborate with the distribution system. The degree of this collaboration is discussed below.</t>
<t>The primary purpose of encryption is to protect against adversaries along the path between the distribution system and the device. There is also a risk that adversaries may extract the decrypted firmware image from the device itself. Consequently, the device must be safeguarded against physical attacks, though such countermeasures are typically beyond the scope of IETF specifications.</t>
<t>Note: It is assumed that the communication between the author and the distribution system is secure. For example, the author might upload the manifest and firmware image to the distribution system using a secure HTTPS REST API.</t>
<figure title="Architecture for the distribution of Encrypted Payloads." anchor="arch-fig"><artset><artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="384" width="472" viewBox="0 0 472 384" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 8,32 L 8,96" fill="none" stroke="black"/>
<path d="M 8,160 L 8,224" fill="none" stroke="black"/>
<path d="M 8,288 L 8,352" fill="none" stroke="black"/>
<path d="M 96,32 L 96,96" fill="none" stroke="black"/>
<path d="M 96,160 L 96,224" fill="none" stroke="black"/>
<path d="M 96,288 L 96,352" fill="none" stroke="black"/>
<path d="M 128,64 L 128,320" fill="none" stroke="black"/>
<path d="M 328,160 L 328,208" fill="none" stroke="black"/>
<path d="M 344,48 L 344,80" fill="none" stroke="black"/>
<path d="M 384,88 L 384,152" fill="none" stroke="black"/>
<path d="M 432,48 L 432,80" fill="none" stroke="black"/>
<path d="M 448,160 L 448,208" fill="none" stroke="black"/>
<path d="M 8,32 L 96,32" fill="none" stroke="black"/>
<path d="M 344,48 L 432,48" fill="none" stroke="black"/>
<path d="M 104,64 L 128,64" fill="none" stroke="black"/>
<path d="M 344,80 L 432,80" fill="none" stroke="black"/>
<path d="M 8,96 L 96,96" fill="none" stroke="black"/>
<path d="M 8,160 L 96,160" fill="none" stroke="black"/>
<path d="M 328,160 L 448,160" fill="none" stroke="black"/>
<path d="M 104,192 L 320,192" fill="none" stroke="black"/>
<path d="M 328,208 L 448,208" fill="none" stroke="black"/>
<path d="M 8,224 L 96,224" fill="none" stroke="black"/>
<path d="M 8,288 L 96,288" fill="none" stroke="black"/>
<path d="M 104,320 L 128,320" fill="none" stroke="black"/>
<path d="M 8,352 L 96,352" fill="none" stroke="black"/>
<polygon class="arrowhead" points="392,152 380,146.4 380,157.6 " fill="black" transform="rotate(90,384,152)"/>
<polygon class="arrowhead" points="112,320 100,314.4 100,325.6 " fill="black" transform="rotate(180,104,320)"/>
<polygon class="arrowhead" points="112,192 100,186.4 100,197.6 " fill="black" transform="rotate(180,104,192)"/>
<polygon class="arrowhead" points="112,64 100,58.4 100,69.6 " fill="black" transform="rotate(180,104,64)"/>
<g class="text">
<text x="52" y="52">Device</text>
<text x="48" y="68">1</text>
<text x="388" y="68">Author</text>
<text x="424" y="116">Payload</text>
<text x="464" y="116">+</text>
<text x="428" y="132">Manifest</text>
<text x="52" y="180">Device</text>
<text x="176" y="180">Payload</text>
<text x="216" y="180">+</text>
<text x="260" y="180">Manifest</text>
<text x="388" y="180">Distribution</text>
<text x="48" y="196">2</text>
<text x="388" y="196">System</text>
<text x="56" y="260">...</text>
<text x="52" y="308">Device</text>
<text x="48" y="324">n</text>
</g>
</svg>
</artwork><artwork type="ascii-art"><![CDATA[
+----------+
| Device | +----------+
| 1 |<--+ | Author |
| | | +----------+
+----------+ | |
| | Payload +
| | Manifest
| v
+----------+ | +--------------+
| Device | | Payload + Manifest | Distribution |
| 2 |<--+------------------------| System |
| | | +--------------+
+----------+ |
|
... |
|
+----------+ |
| Device | |
| n |<--+
| |
+----------+
]]></artwork></artset></figure>
<t>When the author delegates encryption rights to the distributor, two models are possible:</t>
<t><list style="numbers" type="1">
<t>Replacing the COSE_Encrypt and Re-signing the Manifest:
The distributor replaces the COSE_Encrypt structure in the manifest and then signs the manifest again. However, since the COSE_Encrypt structure is within a signed container, this presents a challenge: replacing COSE_Encrypt alters the digest of the manifest, thereby invalidating the signature. As a result, the distributor must be able to sign the new manifest. If this is the case, the distributor gains the authority to construct and sign manifests, effectively allowing them to sign code and giving them full control over the recipient. Distributors typically perform re-encryption online to manage large numbers of devices efficiently, which prevents air-gapping the signing operations. This has implications for the recommendations in <xref section="4.3.17" sectionFormat="of" target="RFC9124"/>. Despite these issues, this model represents the current standard practice for IoT firmware updates.</t>
<t>Two-Layer Manifest System:
The distributor creates a new manifest that overrides the COSE_Encrypt using the dependency system defined in <xref target="I-D.ietf-suit-trust-domains"/>. This method introduces additional overhead, including one more signature verification, one extra manifest, and the need for extra mechanisms on the recipient side to handle dependency processing. While this adds complexity, it also enhances security.</t>
</list></t>
<t>These two models offer different threat profiles for the distributor. If the distributor is limited to encryption rights, an attacker who breaches the distributor can only launch a limited attack by encrypting a modified binary. However, recipients will detect the attack during the image digest check and immediately revert to the correct image.</t>
<t>It is RECOMMENDED that distributors adopt the two-layer manifest approach to distribute content encryption keys without re-signing the manifest, despite the added complexity and the increased number of signature verifications required on the recipient side.</t>
</section>
<section anchor="parameters"><name>Encryption Extensions</name>
<t>This specification introduces a new extension to the SUIT_Parameters structure.</t>
<t>The SUIT_Encryption_Info structure (referred to as suit-parameter-encryption-info
in <xref target="parameter-fig"/>) contains the content key distribution information. The
details of the SUIT_Encryption_Info structure are provided in <xref target="AES-KW"/> (for
AES-KW) and <xref target="ES-DH"/> (for ES-DH).</t>
<t>Once a CEK is available, the steps outlined in <xref target="content-enc"/> apply to both
content key distribution methods described in this section.</t>
<t>The SUIT_Encryption_Info structure is carried within either the
suit-directive-override-parameters or suit-directive-set-parameters used in
the "Directive Write" and "Directive Copy" operations. An implementation
conforming to this specification must support these two parameters.</t>
<t>Interoperability requirements for content key distribution methods vary:
since a device will typically support only one of the two specified methods,
the distribution system needs to know which method is supported. Limiting a
constrained device to a single content key distribution method also helps
reduce code size.</t>
<figure title="CDDL of the SUIT_Parameters Extension." anchor="parameter-fig"><artwork><![CDATA[
SUIT_Parameters //= (suit-parameter-encryption-info
=> bstr .cbor SUIT_Encryption_Info)
suit-parameter-encryption-info = TBD19
]]></artwork></figure>
<t>RFC Editor's Note (TBD19): The value for the suit-parameter-encryption-info
parameter is set to 19, as the proposed value.</t>
</section>
<section anchor="extended-directives"><name>Extended Directives</name>
<t>This specification extends the following directives:</t>
<t><list style="symbols">
<t>Directive Write (suit-directive-write): Used to decrypt the content specified
by suit-parameter-content using suit-parameter-encryption-info.</t>
<t>Directive Copy (suit-directive-copy): Used to decrypt the content of the
component specified by suit-parameter-source-component using suit-parameter-encryption-info.</t>
</list></t>
<t>Examples of these two directives are provided below, focusing on the essential
aspects. A complete example for AES Key Wrap with the Fetch and Copy directives
can be found in <xref target="example-AES-KW-copy"/>, while an example illustrating the
Write directive is shown in <xref target="example-AES-KW-write"/>.</t>
<t><xref target="encryption-info-consumed-with-write"/> illustrates the Directive Write. The
encrypted payload specified by parameter-content, represented as h'EA1...CED'
in the example, is decrypted using the SUIT_Encryption_Info structure referenced
by parameter-encryption-info, i.e., h'D86...1F0'. The resulting plaintext payload
is then stored in component #0.</t>
<figure title="Example showing the extended suit-directive-write." anchor="encryption-info-consumed-with-write"><artwork><![CDATA[
/ directive-override-parameters / 20, {
/ parameter-content / 18: h'EA1...CED',
/ parameter-encryption-info / TBD19: h'D86...1F0'
},
/ directive-write / 18, 15
]]></artwork></figure>
<t>RFC Editor's Note (TBD19): The value for the parameter-encryption-info
parameter is set to 19, as the proposed value.</t>
<t><xref target="encryption-info-consumed-with-copy"/> illustrates the Directive Copy.
In this example the encrypted payload is found at the URI indicated
by the parameter-uri, i.e., "http://example.com/encrypted.bin". The
encrypted payload will be downloaded and stored in component #1.
Then, the information in the SUIT_Encryption_Info structure referred
to by parameter-encryption-info, i.e., h'D86...1F0', will be used to
decrypt the content in component #1 and the resulting plaintext
payload will be stored into component #0.</t>
<figure title="Example showing the extended suit-directive-copy." anchor="encryption-info-consumed-with-copy"><artwork><![CDATA[
/ directive-set-component-index / 12, 1,
/ directive-override-parameters / 20, {
/ parameter-uri / 21: "http://example.com/encrypted.bin",
},
/ directive-fetch / 21, 15,
/ directive-set-component-index / 12, 0,
/ directive-override-parameters / 20, {
/ parameter-encryption-info / TBD19: h'D86...1F0',
/ parameter-source-component / 22: 1
},
/ directive-copy / 22, 15
]]></artwork></figure>
<t>RFC Editor's Note (TBD19): The value for the suit-parameter-encryption-info
parameter is set to 19, as the proposed value.</t>
<t>The payload to be encrypted may be detached and, in that case, it is
not covered by the digital signature or the MAC protecting the manifest.
(To be more precise, the suit-authentication-wrapper found in the envelope
contains a digest of the manifest in the SUIT Digest Container.)</t>
<t>The lack of authentication and integrity protection of the payload is
particularly a concern when a cipher without integrity protection is
used.</t>
<t>To provide authentication and integrity protection of the payload
in the detached payload case a SUIT Digest Container with the hash
of the encrypted and/or plaintext payload MUST be included in the
manifest. See suit-parameter-image-digest parameter in <xref section="8.4.8.6" sectionFormat="of" target="I-D.ietf-suit-manifest"/>.</t>
<t>Once a CEK is available, the steps described in <xref target="content-enc"/> are applicable.
These steps apply to both content key distribution methods.</t>
</section>
<section anchor="content-key-distribution"><name>Content Key Distribution</name>
<t>The following sub-sections describe two content key distribution methods:
AES Key Wrap (AES-KW) and Ephemeral-Static Diffie-Hellman (ES-DH). While
many other methods are specified in the literature and supported by COSE,
AES-KW and ES-DH were chosen for their widespread use in the market today.
They were selected for their maturity, differing security properties, and
strong interoperability.</t>
<t>Both content key distribution methods require the CEKs to be randomly
generated. The guidelines for random number generation in <xref target="RFC8937"/>
MUST be followed.</t>
<t>When sending an encrypted payload to multiple recipients, various
deployment options are available. The following notation is used to
explain these options:</t>
<figure><artwork><![CDATA[
- KEK[R1, S] refers to a KEK shared between recipient R1 and
the sender S.
- CEK[R1, S] refers to a CEK shared between R1 and S.
- CEK[*, S] or KEK[*, S] are used when a single CEK or a single
KEK is shared with all authorized recipients by a given sender
S in a certain context.
- ENC(plaintext, k) refers to the encryption of plaintext with
a key k.
]]></artwork></figure>
<section anchor="AES-KW"><name>Content Key Distribution with AES Key Wrap</name>
<section anchor="introduction-1"><name>Introduction</name>
<t>The AES Key Wrap (AES-KW) algorithm, as described in <xref target="RFC3394"/>,
is used to encrypt a randomly generated content-encryption key (CEK)
with a pre-shared key-encryption key (KEK). The COSE conventions for using
AES-KW are specified in <xref section="8.5.2" sectionFormat="of" target="RFC9052"/> and in <xref section="6.2.1" sectionFormat="of" target="RFC9053"/>. The encrypted CEK is carried within the COSE_recipient structure
, which includes the necessary information for AES-KW. The COSE_recipient structure,
a substructure of COSE_Encrypt, contains the CEK
encrypted by the KEK.</t>
<t>To ensure high security when using AES Key Wrap, it is important that the
KEK is of high entropy and that implementations protect the KEK
from disclosure. A compromised KEK could expose all data encrypted with it,
including binaries and configuration data.</t>
<t>The COSE_Encrypt structure conveys the information needed to encrypt the payload,
including details such as the algorithm and IV. Even though the payload may
be conveyed as detached content, the encryption information is still embedded
in the COSE_Encrypt.ciphertext structure.</t>
</section>
<section anchor="deployment-options"><name>Deployment Options</name>
<t>There are three deployment options for use with AES Key Wrap for payload
encryption:</t>
<t><list style="symbols">
<t>If all recipients (typically of the same product family) share the same KEK,
a single COSE_recipient structure contains the encrypted CEK. The sender executes
the following steps:</t>
</list></t>
<figure><artwork><![CDATA[
1. Fetch KEK[*, S]
2. Generate CEK
3. ENC(CEK, KEK)
4. ENC(payload, CEK)
]]></artwork></figure>
<t>This deployment option is strongly discouraged. An attacker gaining access to
the KEK will be able to encrypt and send payloads to all recipients configured
to use this KEK.</t>
<t><list style="symbols">
<t>If recipients have different KEKs, then multiple COSE_recipient structures
are included but only a single CEK is used. Each COSE_recipient structure
contains the CEK encrypted with the KEKs appropriate for a given recipient.
The benefit of this approach is that the payload is encrypted only once with
a CEK while there is no sharing of the KEK across recipients. Hence, authorized
recipients still use their individual KEK to decrypt the CEK and to subsequently
obtain the plaintext. The steps taken by the sender are:</t>
</list></t>
<figure><artwork><![CDATA[
1. Generate CEK
2. for i=1 to n
{
2a. Fetch KEK[Ri, S]
2b. ENC(CEK, KEK[Ri, S])
}
3. ENC(payload, CEK)
]]></artwork></figure>
<t><list style="symbols">
<t>The third option is to use different CEKs encrypted with KEKs of
authorized recipients. This approach is appropriate when no benefits can
be gained from encrypting and transmitting payloads only once. Assume there
are n recipients with their unique KEKs - KEK[R1, S], ..., KEK[Rn, S] and
unique CEKs. The sender needs to execute the following steps:</t>
</list></t>
<figure><artwork><![CDATA[
1. for i=1 to n
{
1a. Fetch KEK[Ri, S]
1b. Generate CEK[Ri, S]
1c. ENC(CEK[Ri, S], KEK[Ri, S])
1d. ENC(payload, CEK[Ri, S])
2. }
]]></artwork></figure>
</section>
<section anchor="cddl"><name>CDDL</name>
<t>The CDDL for the AES-KW binary is shown in <xref target="cddl-aeskw"/>.
empty_or_serialized_map and header_map are structures defined in <xref target="RFC9052"/>.</t>
<figure title="CDDL for AES-KW-based Content Key Distribution" anchor="cddl-aeskw"><artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================
SUIT_Encryption_Info_AESKW = #6.96([
protected : outer_header_map_protected,
unprotected : outer_header_map_unprotected,
ciphertext : bstr / nil,
recipients : [ + COSE_recipient_AESKW ]
])
outer_header_map_protected = empty_or_serialized_map
outer_header_map_unprotected = header_map
COSE_recipient_AESKW = [
protected : bstr .size 0 / bstr .cbor empty_map,
unprotected : recipient_header_unpr_map_aeskw,
ciphertext : bstr ; CEK encrypted with KEK
]
empty_map = {}
recipient_header_unpr_map_aeskw =
{
1 => int, ; algorithm identifier
? 4 => bstr, ; identifier of the KEK pre-shared with the \
recipient
* label => values ; extension point
}
]]></artwork></figure>
<t>Note that the AES-KW algorithm, as defined in <xref section="2.2.3.1" sectionFormat="of" target="RFC3394"/>,
does not have public parameters that vary on a per-invocation basis. Hence,
the protected header in the COSE_recipient structure is a byte string
of zero length.</t>
</section>
</section>
<section anchor="ES-DH"><name>Content Key Distribution with Ephemeral-Static Diffie-Hellman</name>
<section anchor="introduction-2"><name>Introduction</name>
<t>Ephemeral-Static Diffie-Hellman (ES-DH) is a public key encryption scheme
that enables encryption using the recipient's public key. There are several
variations of this scheme; this document adopts the version specified in
<xref section="8.5.5" sectionFormat="of" target="RFC9052"/>.</t>
<t>The structure is composed of two layers:</t>
<t><list style="symbols">
<t>Layer 0: Contains content encrypted with a Content Encryption Key (CEK).
The content may be provided separately.</t>
<t>Layer 1: Uses the AES Key Wrap (AES-KW) algorithm to encrypt the randomly
generated CEK with a Key Encryption Key (KEK) derived via ES-DH. The
resulting symmetric key is processed through an HKDF-based key derivation
function <xref target="RFC5869"/>.</t>
</list></t>
<t>This two-layer structure combines ES-DH with AES-KW and HKDF, referred to
as ECDH-ES + AES-KW. An example can be found in <xref target="esdh-aesgcm-example"/>.</t>
<t>Another variant of the ES-DH algorithm, called ECDH-ES + HKDF, does not
utilize AES Key Wrap. However, this version is not covered in this document.</t>
</section>
<section anchor="deployment-options-1"><name>Deployment Options</name>
<t>This approach supports only two deployment options, as it assumes that each
recipient is always equipped with a device-specific public/private key pair.</t>
<t><list style="symbols">
<t>When a sender transmits a payload to multiple recipients, all recipients
receive the same encrypted payload, meaning the same CEK is used to encrypt
the content. For each recipient, a separate COSE_recipient structure is used,
which contains the CEK encrypted with the recipient-specific KEK. To derive
the KEK, each COSE_recipient structure includes a COSE_recipient_inner
structure that carries the sender's ephemeral key and an identifier for the
recipient's public key.</t>
</list></t>
<t>The steps taken by the sender are:</t>
<figure><artwork><![CDATA[
1. Generate CEK
2. for i=1 to n
{
2a. Generate KEK[Ri, S] using ES-DH
2b. ENC(CEK, KEK[Ri, S])
}
3. ENC(payload,CEK)
]]></artwork></figure>
<t><list style="symbols">
<t>The alternative is to encrypt the payload with a unique CEK for each
recipient, resulting in multiple manifests. This approach is useful when payloads contain
device-specific information. In this case, the encryption operation becomes
ENC(payload_i, CEK[Ri, S]) where each recipient Ri receives a unique CEK. Assume
that KEK[R1, S],..., KEK[Rn, S] have been generated for the recipients using ES-DH.
The sender must then follow these steps:</t>
</list></t>
<figure><artwork><![CDATA[
1. for i=1 to n
{
1a. Generate KEK[Ri, S] using ES-DH
1b. Generate CEK[Ri, S]
1c. ENC(CEK[Ri, S], KEK[Ri, S])
1d. ENC(payload, CEK[Ri, S])
}
]]></artwork></figure>
</section>
<section anchor="cddl-1"><name>CDDL</name>
<t>The CDDL for the ECDH-ES+AES-KW binary is provided in <xref target="cddl-esdh"/>.
Only the essential parameters are included. The structures empty_or_serialized_map
and header_map are defined in <xref target="RFC9052"/>.</t>
<figure title="CDDL for ES-DH-based Content Key Distribution" anchor="cddl-esdh"><artwork><![CDATA[
SUIT_Encryption_Info_ESDH = #6.96([
protected : outer_header_map_protected,
unprotected : outer_header_map_unprotected,
ciphertext : bstr / nil,
recipients : [ + COSE_recipient_ESDH ]
])
outer_header_map_protected = empty_or_serialized_map
outer_header_map_unprotected = header_map
COSE_recipient_ESDH = [
protected : bstr .cbor recipient_header_map_esdh,
unprotected : recipient_header_unpr_map_esdh,
ciphertext : bstr ; CEK encrypted with KEK
]
recipient_header_map_esdh =
{
1 => int, ; algorithm identifier
* label => values ; extension point
}
recipient_header_unpr_map_esdh =
{
? 4 => bstr, ; identifier of the recipient public key
-1 => COSE_Key, ; ephemeral public key for the sender
* label => values ; extension point
}
]]></artwork></figure>
<t>See <xref target="content-enc"/> for a description on how to encrypt the payload.</t>
</section>
<section anchor="context-information-structure"><name>Context Information Structure</name>
<t>The context information structure ensures that the derived keying material
is "bound" to the specific context of the transaction. This specification
reuses the structure defined in <xref section="5.2" sectionFormat="of" target="RFC9053"/>, with modifications
to fit the current use case.</t>
<t>The following elements are bound to the context:</t>
<t><list style="symbols">
<t>the protocol employing the key-derivation method,</t>
<t>information about the utilized AES Key Wrap algorithm, and the key length.</t>
<t>the protected header field, which contains the content key encryption algorithm.</t>
</list></t>
<t>The sender and recipient identities are left empty.</t>
<t>The following fields in <xref target="cddl-context-info"/> require an explanation:</t>
<t><list style="symbols">
<t>The COSE_KDF_Context.AlgorithmID field MUST contain the identifier for the
AES Key Wrap algorithm being used. This specification uses the following
values: A128KW (value -3), A192KW (value -4), or A256KW (value -5)</t>
<t>The COSE_KDF_Context.SuppPubInfo.keyDataLength field MUST specify the key
length, in bits, corresponding to the algorithm in the AlgorithmID field.
For A128KW the value is 128, for A192KW the value is 192, and for A256KW
the value 256.</t>
<t>The COSE_KDF_Context.SuppPubInfo.other field captures the protocol that
uses the ES-DH content key distribution algorithm. It MUST be set to
the constant string "SUIT Payload Encryption".</t>
<t>The COSE_KDF_Context.SuppPubInfo.protected field MUST contain the serialized
content of the recipient_header_map_esdh field, which contains (among other
elements) the identifier of the content key distribution method.</t>
</list></t>
<figure title="CDDL for COSE_KDF_Context Structure" anchor="cddl-context-info"><sourcecode type="CDDL"><![CDATA[
COSE_KDF_Context = [
AlgorithmID : int,
PartyUInfo : [ PartyInfoSender ],
PartyVInfo : [ PartyInfoRecipient ],
SuppPubInfo : [
keyDataLength : uint,
protected : bstr,
other: 'SUIT Payload Encryption'
],
? SuppPrivInfo : bstr
]
PartyInfoSender = (
identity : nil,
nonce : nil,
other : nil
)
PartyInfoRecipient = (
identity : nil,
nonce : nil,
other : nil
)
]]></sourcecode></figure>
<t>The HKDF-based key derivation function MAY contain a salt value,
as described in <xref section="5.1" sectionFormat="of" target="RFC9053"/>. This optional value
influences the key generation process, though this specification
does not require the use of a salt. If the salt is public and
included in the message, the "salt" algorithm header parameter
MUST be used. The salt adds extra randomness to the KDF context.
When the salt is transmitted via the "salt" algorithm header
parameter, the receiver MUST be capable of processing it and MUST
pass it into the key derivation function. For more details on salt
usage, refer to <xref target="RFC5869"/> and NIST SP800-56 <xref target="SP800-56"/>.</t>
<t>Profiles of this specification MAY define an extended version of
the context information structure or MAY employ a different context
information structure.</t>
</section>
</section>
</section>
<section anchor="content-enc"><name>Content Encryption</name>
<t>This section summarizes the steps involved in content encryption,
applicable to both content key distribution methods.</t>
<t>When using AEAD ciphers, such as AES-GCM or ChaCha20/Poly1305, the
COSE specification requires a consistent byte stream to create the
authenticated data structure. This structure is illustrated in
<xref target="cddl-enc-aeskw"/> and defined in <xref section="5.3" sectionFormat="of" target="RFC9052"/>.</t>
<figure title="CDDL for Enc_structure Data Structure" anchor="cddl-enc-aeskw"><artwork><![CDATA[
Enc_structure = [
context : "Encrypt",
protected : empty_or_serialized_map,
external_aad : bstr
]
]]></artwork></figure>
<t>This Enc_structure must be populated as follows:</t>
<t><list style="symbols">
<t>The protected field in the Enc_structure from <xref target="cddl-enc-aeskw"/> refers
to the content of the protected field in the COSE_Encrypt structure.</t>
<t>The value of external_aad MUST be set to a zero-length byte string,
represented as h'' in diagnostic notation and encoded as 0x40.</t>
</list></t>
<t>Some ciphers, such as AES-CTR and AES-CBC, provide confidentiality
without integrity protection (see <xref target="RFC9459"/>). For these ciphers,
the Enc_structure shown in <xref target="cddl-enc-aeskw"/> cannot be used, as
the Additional Authenticated Data (AAD) byte string is only
applicable to AEAD ciphers. Therefore, the AAD structure is not
passed to the API for these ciphers, and the protected header in
the SUIT_Encryption_Info structure MUST be a zero-length byte string.</t>
<t>AES-CTR and AES-CBC are discussed in separate sub-sections below and
<xref target="aes-ctr-fig"/> and <xref target="aes-cbc-fig"/> use the following abbreviations:</t>
<t><list style="symbols">
<t>Pi = Plaintext blocks</t>
<t>Ci = Ciphertext blocks</t>
<t>E = Encryption function</t>
<t>k = Symmetric key</t>
<t>⊕ = XOR operation</t>
</list></t>
<section anchor="aes-gcm"><name>AES-GCM</name>
<section anchor="introduction-3"><name>Introduction</name>
<t>AES-GCM is an AEAD cipher and provides confidentiality and integrity protection.</t>
<t>Examples in this section use the following parameters:</t>
<t><list style="symbols">
<t>Algorithm for payload encryption: AES-GCM-128
<list style="symbols">
<t>k: h'15F785B5C931414411B4B71373A9C0F7'</t>
<t>IV: h'F14AAB9D81D51F7AD943FE87AF4F70CD'</t>
</list></t>
<t>Plaintext: "This is a real firmware image."
<list style="symbols">
<t>in hex: 546869732069732061207265616C206669726D7761726520696D6167652E</t>
</list></t>
</list></t>
</section>
<section anchor="aes-kw-aes-gcm-example"><name>AES-KW + AES-GCM Example</name>
<t>This example uses the following parameters:</t>
<t><list style="symbols">
<t>Algorithm id for key wrap: A128KW</t>
<t>KEK COSE_Key (Secret Key):
<list style="symbols">
<t>kty: Symmetric</t>
<t>k: 'aaaaaaaaaaaaaaaa'</t>
<t>kid: 'kid-1'</t>
</list></t>
</list></t>
<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>
<figure><artwork><![CDATA[
D8608443A10101A1054CF14AAB9D81D51F7AD943FE87F6818340A2012204
456B69642D31581875603FFC9518D794713C8CA8A115A7FB32565A6D5953
4D62
]]></artwork></figure>
<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="aeskw-aesgcm-example"/>.</t>
<figure title="COSE_Encrypt Example for AES Key Wrap" anchor="aeskw-aesgcm-example"><artwork><![CDATA[
96([
/ protected: / << {
/ alg / 1: 1 / A128GCM /
} >>,
/ unprotected: / {
/ IV / 5: h'F14AAB9D81D51F7AD943FE87'
},
/ payload: / null / detached ciphertext /,
/ recipients: / [
[
/ protected: / h'',
/ unprotected: / {
/ alg / 1: -3 / A128KW /,
/ kid / 4: 'kid-1'
},
/ payload: /
h'75603FFC9518D794713C8CA8A115A7FB32565A6D59534D62'
/ CEK encrypted with KEK /
]
]
])
]]></artwork></figure>
<t>The encrypted payload (with a line feed added) was:</t>
<figure><artwork><![CDATA[
758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B85BB94D4BD6D7ED26AB32F
EB063385D4D3465927EC82CB5E198A59
]]></artwork></figure>
</section>
<section anchor="ecdh-esaes-kw-aes-gcm-example"><name>ECDH-ES+AES-KW + AES-GCM Example</name>
<t>This example uses the following parameters:</t>
<t><list style="symbols">
<t>Algorithm for content key distribution: ECDH-ES + A128KW</t>
<t>KEK COSE_Key (Receiver's Private Key):
<list style="symbols">
<t>kty: EC2</t>
<t>crv: P-256</t>
<t>x: h'5886CD61DD875862E5AAA820E7A15274C968A9BC96048DDCACE32F50C3651BA3'</t>
<t>y: h'9EED8125E932CD60C0EAD3650D0A485CF726D378D1B016ED4298B2961E258F1B'</t>
<t>d: h'60FE6DD6D85D5740A5349B6F91267EEAC5BA81B8CB53EE249E4B4EB102C476B3'</t>
<t>kid: 'kid-2'</t>
</list></t>
<t>KDF Context
<list style="symbols">
<t>Algorithm ID: -3 (A128KW)</t>
<t>SuppPubInfo
<list style="symbols">
<t>keyDataLength: 128</t>
<t>protected: { / alg / 1: -29 / ECDH-ES+A128KW / }</t>
<t>other: 'SUIT Payload Encryption'</t>
</list></t>
</list></t>
</list></t>
<t>The COSE_Encrypt structure, in hex format, is (with a line break inserted):</t>
<figure><artwork><![CDATA[
D8608443A10101A1054CF14AAB9D81D51F7AD943FE87F6818344A101381C
A120A40102200121582073024F415AA51529A66CCEFD88F3F62A734492FF
45F6AD37FD2888E73EAF19DA2258204005B48A6FD091AA6ABFE3CFBEEDE8
8B347E521D43405FDBD7D2CFF0EBC21B265818A06B8E6550F308712B1DF0
44B21B7D11D9B22792F1DE0997
]]></artwork></figure>
<t>The resulting COSE_Encrypt structure in a diagnostic format is shown in
<xref target="esdh-aesgcm-example"/>.</t>
<figure title="COSE_Encrypt Example for ES-DH" anchor="esdh-aesgcm-example"><artwork><![CDATA[
96([
/ protected: / << {
/ alg / 1: 1 / A128GCM /
} >>,
/ unprotected: / {
/ IV / 5: h'F14AAB9D81D51F7AD943FE87'
},
/ payload: / null / detached ciphertext /,
/ recipients: / [
[
/ protected: / << {
/ alg / 1: -29 / ECDH-ES + A128KW /
} >>,
/ unprotected: / {
/ ephemeral key / -1: {
/ kty / 1: 2 / EC2 /,
/ crv / -1: 1 / P-256 /,
/ x / -2: h'73024F415AA51529A66CCEFD88F3F62A
734492FF45F6AD37FD2888E73EAF19DA',
/ y / -3: h'4005B48A6FD091AA6ABFE3CFBEEDE88B
347E521D43405FDBD7D2CFF0EBC21B26'
}
},
/ payload:
/ h'A06B8E6550F308712B1DF044B21B7D11D9B22792F1DE0997'
/ CEK encrypted with KEK /
]
]
])
]]></artwork></figure>
<t>The encrypted payload (with a line feed added) was:</t>
<figure><artwork><![CDATA[
758C4B7BBAE2C4C1D462423E0F0DC3164FFA7B85BB94D4BD6D7ED26AB32F
EB063385D4D3465927EC82CB5E198A59
]]></artwork></figure>
</section>
</section>
<section anchor="aes-ctr"><name>AES-CTR</name>
<section anchor="introduction-4"><name>Introduction</name>
<t>AES-CTR is a non-AEAD cipher that provides confidentiality but lacks integrity protection.
Unlike AES-CBC, AES-CTR uses an IV per block, as shown in <xref target="aes-ctr-fig"/>.
Hence, when an image is encrypted using AES-CTR-128 or AES-CTR-256, the IV MUST
start with zero (0) and MUST be incremented by one for each 16-byte plaintext block
within the entire slot.</t>
<t>In our example, we assume the slot size of a specific flash controller on an IoT device
is 64 KiB, the sector size 4096 bytes (4 KiB) and an AES plaintext block size of 16 bytes,
the IVs range from 0 to 255 in the first sector, and 16 * 256 IVs are required for the
remaining sectors in the slot.</t>
<figure title="AES-CTR Operation" anchor="aes-ctr-fig"><artset><artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="288" width="224" viewBox="0 0 224 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
<path d="M 32,96 L 32,176" fill="none" stroke="black"/>
<path d="M 64,48 L 64,88" fill="none" stroke="black"/>
<path d="M 64,224 L 64,240" fill="none" stroke="black"/>
<path d="M 96,96 L 96,176" fill="none" stroke="black"/>
<path d="M 152,96 L 152,176" fill="none" stroke="black"/>
<path d="M 184,48 L 184,88" fill="none" stroke="black"/>
<path d="M 184,224 L 184,240" fill="none" stroke="black"/>
<path d="M 216,96 L 216,176" fill="none" stroke="black"/>
<path d="M 32,96 L 96,96" fill="none" stroke="black"/>
<path d="M 152,96 L 216,96" fill="none" stroke="black"/>
<path d="M 32,176 L 96,176" fill="none" stroke="black"/>
<path d="M 152,176 L 216,176" fill="none" stroke="black"/>
<path d="M 40,208 L 56,208" fill="none" stroke="black"/>
<path d="M 152,208 L 168,208" fill="none" stroke="black"/>
<g class="text">
<text x="64" y="36">IV1</text>
<text x="184" y="36">IV2</text>
<text x="16" y="148">k--</text>
<text x="56" y="148">E</text>
<text x="136" y="148">k--</text>
<text x="176" y="148">E</text>
<text x="64" y="196">|</text>
<text x="184" y="196">|</text>
<text x="28" y="212">P1</text>
<text x="64" y="212">⊕</text>
<text x="140" y="212">P2</text>
<text x="176" y="212">⊕</text>
<text x="68" y="260">C1</text>
<text x="188" y="260">C2</text>
</g>
</svg>
</artwork><artwork type="ascii-art"><![CDATA[
IV1 IV2
| |
| |
| |
+-------+ +-------+
| | | |
| | | |
k--| E | k--| E |
| | | |
+-------+ +-------+
| |
P1---⊕ P2---⊕
| |
| |
C1 C2
]]></artwork></artset></figure>
<t>Note: The abbreviations shown in <xref target="aes-ctr-fig"/> are described
in <xref target="content-enc"/>.</t>
<t>Examples in this section use the following parameters:</t>
<t><list style="symbols">
<t>Algorithm for payload encryption: AES-CTR-128
<list style="symbols">
<t>k: h'261DE6165070FB8951EC5D7B92A065FE'</t>
<t>IV: h'DAE613B2E0DC55F4322BE38BDBA9DC68'</t>
</list></t>