]> University of Oviedo

Gijon, Asturias 33203 Spain garciadan@uniovi.es

University of Murcia

Murcia 30100 Spain rafa@um.es

Ericsson

SE-164 80 Stockholm Sweden goran.selander@ericsson.com

Ericsson

SE-164 80 Stockholm Sweden john.mattsson@ericsson.com

SEC EMU Working Group The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides a standard mechanism for support of multiple authentication methods. This document specifies the use of EAP-EDHOC with Ephemeral Diffie-Hellman Over COSE (EDHOC). EDHOC provides a lightweight authenticated Diffie-Hellman key exchange with ephemeral keys, using COSE (RFC 9052, RFC 9053) to provide security services efficiently encoded in CBOR (RFC 8949). This document also provides guidance on authentication and authorization for EAP-EDHOC.

Introduction The Extensible Authentication Protocol (EAP), defined in , provides a standard mechanism for support of multiple authentication methods. This document specifies the EAP authentication method EAP-EDHOC which uses COSE-defined credential-based mutual authentication, utilizing the EDHOC protocol cipher suite negotiation and establishment of shared secret keying material. Ephemeral Diffie-Hellman Over COSE (EDHOC, ) is a very compact and lightweight authenticated key exchange protocol designed for highly constrained settings. The main objective for EDHOC is to be a matching security handshake protocol to OSCORE , i.e., to provide authentication and session key establishment for IoT use cases such as those built on CoAP involving 'things' with embedded microcontrollers, sensors, and actuators. EDHOC reuses the same lightweight primitives as OSCORE, CBOR and COSE and specifies the use of CoAP but is not bound to a particular transport. The EAP-EDHOC method will enable the integration of EDHOC in different applications and use cases using the EAP framework.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Protocol Overview

Overview of the EAP-EDHOC Conversation The EDHOC protocol running between an Initiator and a Responder consists of three mandatory messages (message_1, message_2, message_3), an optional message_4, and an error message. EAP-EDHOC uses all messages in the exchange, and message_4 is mandatory, as an protected success indication. After receiving an EAP-Request packet with EAP-Type=EAP-EDHOC as described in this document, the conversation will continue with the EDHOC protocol encapsulated in the data fields of EAP-Response and EAP-Request packets. When EAP-EDHOC is used, the formatting and processing of the EDHOC message SHALL be done as specified in . This document only lists additional and different requirements, restrictions, and processing compared to .

Authentication EAP-EDHOC authentication credentials can be of any type supported by COSE and be transported or referenced by EDHOC. EAP-EDHOC provides forward secrecy by exchange of ephemeral Diffie-Hellman public keys in message_1 and message_2. The optimization combining the execution of EDHOC with the first subsequent OSCORE transaction specified in is not supported in this EAP method. Figure 1 shows an example message flow for a successful EAP-EDHOC.

EAP-EDHOC Mutual Authentication | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC Start) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_1) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_2) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_3) | | ----------------------------------------------------> | | | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_4) | | <--------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | ---------------------------------------------------> | | EAP-Success | | <--------------------------------------------------- | + + ]]>

Transport and Message Correlation EDHOC is not bound to a particular transport layer and can even be used in environments without IP. Nonetheless, EDHOC specification has a set of requirements for its transport protocol . These include handling message loss, reordering, duplication, fragmentation, demultiplex EDHOC messages from other types of messages, denial-of-service protection, and message correlation. All these requirements are fulfilled by the EAP protocol, EAP method, or EAP lower layer, as specified in . For message loss, this can be either fulfilled by the EAP layer or the EAP lower layer or both. For reordering, EAP relies on the EAP lower layer ordering guarantees, for correct operation. For duplication and message correlation, EAP has the Identifier field, which allows both the peer and authenticator to detect duplicates and match a request with a response. Fragmentation is defined by this EAP method, see . The EAP framework , specifies that EAP methods need to provide fragmentation and reassembly if EAP packets can exceed the minimum MTU of 1020 octets. To demultiplex EDHOC messages from other types of messages, EAP provides the Code field. This method does not provide other mitigation against denial-of-service than EAP .

Termination If the EAP-EDHOC peer authenticates successfully, the EAP-EDHOC server MUST send an EAP-Request packet with EAP-Type=EAP-EDHOC containing message_4 as a protected success indication. If the EAP-EDHOC server authenticates successfully, the EAP-EDHOC peer MUST send an EAP-Response message with EAP-Type=EAP-EDHOC containing no data. Finally, the EAP-EDHOC server sends an EAP-Success. , and illustrate message flows in several cases where the EAP-EDHOC peer or EAP-EDHOC server sends an EDHOC error message. shows an example message flow where the EAP-EDHOC server rejects message_1 with an EDHOC error message.

EAP-EDHOC Server rejection of message_1 | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC Start) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_1) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC error) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | ----------------------------------------------------> | | | | EAP-Failure | | <---------------------------------------------------- | | | ]]>

shows an example message flow where the EAP-EDHOC server authentication is unsuccessful and the EAP-EDHOC peer sends an EDHOC error message.

EAP-EDHOC Peer rejection of message_2 | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC Start) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_1) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_2) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC error) | | ----------------------------------------------------> | | EAP-Failure | | <---------------------------------------------------- | ]]>

shows an example message flow where the EAP-EDHOC server authenticates to the EAP-EDHOC peer successfully, but the EAP-EDHOC peer fails to authenticate to the EAP-EDHOC server, and the server sends an EDHOC error message.

EAP-EDHOC Server rejection of message_3 | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC Start) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_1) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_2) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_3) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC error) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | ----------------------------------------------------> | | | | EAP-Failure | | <---------------------------------------------------- | | | ]]>

shows an example message flow where the EAP-EDHOC server sends the EDHOC message_4 to the EAP peer, but the protected success indication fails, and the peer sends an EDHOC error message.

EAP-EDHOC Peer rejection of message_4 | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC Start) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_1) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_2) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_3) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_4) | | <--------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC error) | | ----------------------------------------------------> | | EAP-Failure | | <---------------------------------------------------- | | | ]]>

Identity It is RECOMMENDED to use anonymous NAIs in the Identity Response as such identities are routable and privacy-friendly. While opaque blobs are allowed by , such identities are NOT RECOMMENDED as they are not routable and should only be considered in local deployments where the EAP-EDHOC peer, EAP authenticator, and EAP-EDHOC server all belong to the same network. Many client certificates contain an identity such as an email address, which is already in NAI format. When the client certificate contains an NAI as subject name or alternative subject name, an anonymous NAI SHOULD be derived from the NAI in the certificate; See .

Privacy EAP-EDHOC peer and server implementations supporting EAP-EDHOC MUST support anonymous Network Access Identifiers (NAIs) (Section 2.4 of ). A client supporting EAP-EDHOC MUST NOT send its username (or any other permanent identifiers) in cleartext in the Identity Response (or any message used instead of the Identity Response). Following , it is RECOMMENDED to omit the username (i.e., the NAI is @realm), but other constructions such as a fixed username (e.g., anonymous@realm) or an encrypted username (e.g., xCZINCPTK5+7y81CrSYbPg+RKPE3OTrYLn4AQc4AC2U=@realm) are allowed. Note that the NAI MUST be a UTF-8 string as defined by the grammar in Section 2.2 of . EAP-EDHOC is always used with privacy. This does not add any extra round trips and the message flow with privacy is just the normal message flow as shown in .

Fragmentation EAP-EDHOC fragmentation support is provided through the addition of a flags octet within the EAP-Response and EAP-Request packets, as well as a (conditional) EAP-EDHOC Message Length field that can be one to four octets. To do so, the EAP request and response messages of EAP-EDHOC have a set of information fields that allow for the specification of the fragmentation process (See for the detailed description). Of these fields, we will highlight the one that contains the flag octet, which is used to steer the fragmentation process. If the L bits are set, we are specifying that the message will be fragmented and the length of the message, which is in the EAP-EDHOC Message Length field. Implementations MUST NOT set the L bit in unfragmented messages, but they MUST accept unfragmented messages with and without the L bit set. Some EAP implementations and access networks may limit the number of EAP packet exchanges that can be handled. To avoid fragmentation, it is RECOMMENDED to keep the sizes of EAP-EDHOC peer, EAP-EDHOC server, and trust anchor authentication credentials small and the length of the certificate chains short. In addition, it is RECOMMENDED to use mechanisms that reduce the sizes of Certificate messages. EDHOC is designed to perform well in constrained networks where message sizes are restricted for performance reasons. In the basic message construction, the size of plaintext in message_2 is limited to the length of the output of the key derivation function which in turn is decided by the EDHOC hash function. For example, with SHA-256 as EDHOC hash algorithm, the maximum size of plaintext in message_2 is 8160 bytes. However, EDHOC also defines an optional backward compatible method for handling arbitrarily long message_2 plaintext sizes, see Appendix G in . The other three EAP-EDHOC messages do not have an upper bound. Furthermore, in the case of sending a certificate in a message instead of a reference, a certificate may in principle be as long as 16 MB. Hence, the EAP-EDHOC messages sent in a single round may thus be larger than the MTU size or the maximum Remote Authentication Dial-In User Service (RADIUS) packet size of 4096 octets. As a result, an EAP-EDHOC implementation MUST provide its support for fragmentation and reassembly. Since EAP is a simple ACK-NAK protocol, fragmentation support can be easily added. In EAP, fragments that are lost or damaged in transit will be retransmitted, and since sequencing information is provided by the Identifier field in EAP, there is no need for a fragment offset field as is provided in IPv4 EAP-EDHOC fragmentation support is provided through the addition of flags octet within the EAP-Response and EAP-Request packets, as well as a EDHOC Message Length field. Flags include the Length included (L), More fragments (M), and EAP-EDHOC Start (S) bits. The L flag is set to indicate the presence of the EDHOC Message Length field, and MUST be set for the first fragment of a fragmented EDHOC message. The M flag is set on all but the last fragment. The S flag is set only within the EAP-EDHOC start message sent from the EAP server to the peer. The EDHOC Message Length field provides the total length of the EDHOC message that is being fragmented; this simplifies buffer allocation. When an EAP-EDHOC peer receives an EAP-Request packet with the M bit set, it MUST respond with an EAP-Response with EAP-Type=EAP-EDHOC and no data. This serves as a fragment ACK. The EAP server MUST wait until it receives the EAP-Response before sending another fragment. To prevent errors in the processing of fragments, the EAP server MUST increment the Identifier field for each fragment contained within an EAP-Request, and the peer MUST include this Identifier value in the fragment ACK contained within the EAP-Response. Retransmitted fragments will contain the same Identifier value. Similarly, when the EAP-EDHOC server receives an EAP-Response with the M bit set, it MUST respond with an EAP-Request with EAP-Type=EAP-EDHOC and no data. This serves as a fragment ACK. The EAP peer MUST wait until it receives the EAP-Request before sending another fragment. To prevent errors in the processing of fragments, the EAP server MUST increment the Identifier value for each fragment ACK contained within an EAP-Request, and the peer MUST include this Identifier value in the subsequent fragment contained within an EAP- Response. In the case where the EAP-EDHOC mutual authentication is successful, and fragmentation is required, the conversation will appear as follows:

Fragmentation example of EAP-EDHOC Authentication | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC Start, S bit set) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_1) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_2, | | Fragment 1: L,M bits set) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (Fragment 2: M bits set) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (Fragment 3) | | <---------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_3, | | Fragment 1: L,M bits set) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | <--------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_3, | | Fragment 2: M bits set) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | <--------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_3, | | Fragment 3) | | ----------------------------------------------------> | | EAP-Request/ | | EAP-Type=EAP-EDHOC | | (EDHOC message_4) | | <--------------------------------------------------- | | EAP-Response/ | | EAP-Type=EAP-EDHOC | | ---------------------------------------------------> | | EAP-Success | | <--------------------------------------------------- | + + ]]>

Identity Verification The EAP peer identity provided in the EAP-Response/Identity is not authenticated by EAP-EDHOC. Unauthenticated information MUST NOT be used for accounting purposes or to give authorization. The authenticator and the EAP-EDHOC server MAY examine the identity presented in EAP-Response/Identity for purposes such as routing and EAP method selection. EAP-EDHOC servers MAY reject conversations if the identity does not match their policy. The EAP server identity in the EDHOC server certificate is typically a fully qualified domain name (FQDN) in the SubjectAltName (SAN) extension. Since EAP-EDHOC deployments may use more than one EAP server, each with a different certificate, EAP peer implementations SHOULD allow for the configuration of one or more trusted root certificates (CA certificate) to authenticate the server certificate and one or more server names to match against the SubjectAltName (SAN) extension in the server certificate. If any of the configured names match any of the names in the SAN extension, then the name check passes. To simplify name matching, an EAP-EDHOC deployment can assign a name to represent an authorized EAP server and EAP Server certificates can include this name in the list of SANs for each certificate that represents an EAP-EDHOC server. If server name matching is not used, then it degrades the confidence that the EAP server with which it is interacting is authoritative for the given network. If name matching is not used with a public root CA, then effectively any server can obtain a certificate that will be trusted for EAP authentication by the peer. The process of configuring a root CA certificate and a server name is non-trivial; therefore, automated methods of provisioning are RECOMMENDED. For example, the eduroam federation provides a Configuration Assistant Tool (CAT) to automate the configuration process. In the absence of a trusted root CA certificate (user-configured or system-wide), EAP peers MAY implement a Trust On First Use (TOFU) mechanism where the peer trusts and stores the server certificate during the first connection attempt. The EAP peer ensures that the server presents the same stored certificate on subsequent interactions. The use of a TOFU mechanism does not allow for the server certificate to change without out-of-band validation of the certificate and is therefore not suitable for many deployments including ones where multiple EAP servers are deployed for high availability. TOFU mechanisms increase the susceptibility to traffic interception attacks and should only be used if there are adequate controls in place to mitigate this risk.

Key Hierarchy The key schedule for EDHOC is described in Section 4 of . The Key_Material and Method-Id SHALL be derived from the PRK_exporter using the EDHOC-Exporter interface, see Section 4.2.1 of . Type is the value of the EAP Type field defined in Section 2 of . For EAP-EDHOC, the Type field has the value TBD1. >, 64) EMSK = EDHOC-Exporter(TBD3 ,<< Type >>, 64) Method-Id = EDHOC-Exporter(TBD4, << Type >>, 64) Session-Id = Type || Method-Id ]]> EAP-EDHOC exports the MSK and the EMSK and does not specify how it is used by lower layers.

Parameter Negotiation and Compliance Requirements The EAP-EDHOC peers and EAP-EDHOC servers MUST comply with the compliance requirements (mandatory-to-implement cipher suites, signature algorithms, key exchange algorithms, extensions, etc.) defined in Section 7 of .

EAP State Machines The EAP-EDHOC server sends message_4 in an EAP-Request as a protected success result indication. EDHOC error messages SHOULD be considered failure result indication, as defined in . After sending or receiving an EDHOC error message, the EAP-EDHOC server may only send an EAP-Failure. EDHOC error messages are unprotected. The keying material can be derived after the EDHOC message_2 has been sent or received. Implementations following can then set the eapKeyData and aaaEapKeyData variables. The keying material can be made available to lower layers and the authenticator after the protected success indication (message_4) has been sent or received. Implementations following can set the eapKeyAvailable and aaaEapKeyAvailable variables.

Detailed Description of the EAP-EDHOC Protocol

EAP-EDHOC Request Packet A summary of the EAP-EDHOC Request packet format is shown below. The fields are transmitted from left to right. Code Identifier Length Type Flags EDHOC Message Length EDHOC data

EAP-EDHOC Response Packet A summary of the EAP-EDHOC Response packet format is shown below. The fields are transmitted from left to right. Code Identifier Length Type Flags EDHOC Message Length EDHOC data

IANA Considerations

EAP Type IANA has allocated EAP Type TBD1 for method EAP-EDHOC. The allocation has been updated to reference this document.

EDHOC Exporter Label Registry IANA has registered the following new labels in the "EDHOC Exporter Label" registry under the group name "Ephemeral Diffie-Hellman Over COSE (EDHOC)": The allocations have been updated to reference this document.

Security Considerations The security considerations of EDHOC apply to this document. The design of EAP-EDHOC follows closely EAP-TLS 1.3 and so its security considerations also apply. Except for MSK and EMSK, derived keys are not exported.

Security Claims Using EAP-EDHOC provides the security claims of EDHOC, which are described next.

1. Mutual authentication: The initiator and responder authenticate each other through the EDHOC exchange.
2. Forward secrecy: Only ephemeral Diffie-Hellman methods are supported by EDHOC, which ensures that the compromise of one session key does not also compromise earlier sessions' keys.
3. Identity protection: EDHOC secures the Responder's credential identifier against passive attacks and the Initiator's credential identifier against active attacks. An active attacker can get the credential identifier of the Responder by eavesdropping on the destination address used for transporting message_1 and then sending its message_1 to the same address.
4. Cipher suite negotiation: The Initiator's list of supported cipher suites and order of preference is fixed, and the selected cipher suite is the first cipher suite that the Responder supports.
5. Integrity protection: EDHOC integrity protects all message content using transcript hashes for key derivation and as additional authenticated data, including, e.g., method type, ciphersuites, and external authorization data.

References Normative References This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this. This document obsoletes RFC 2284. A summary of the changes between this document and RFC 2284 is available in Appendix A. [STANDARDS-TRACK] This document describes a set of state machines for Extensible Authentication Protocol (EAP) peer, EAP stand-alone authenticator (non-pass-through), EAP backend authenticator (for use on Authentication, Authorization, and Accounting (AAA) servers), and EAP full authenticator (for both local and pass-through). This set of state machines shows how EAP can be implemented to support deployment in either a peer/authenticator or peer/authenticator/AAA Server environment. The peer and stand-alone authenticator machines are illustrative of how the EAP protocol defined in RFC 3748 may be implemented. The backend and full/pass-through authenticators illustrate how EAP/AAA protocol support defined in RFC 3579 may be implemented. Where there are differences, RFC 3748 and RFC 3579 are authoritative. The state machines are based on the EAP "Switch" model. This model includes events and actions for the interaction between the EAP Switch and EAP methods. A brief description of the EAP "Switch" model is given in the Introduction section. The state machine and associated model are informative only. Implementations may achieve the same results using different methods. This memo provides information for the Internet community. In order to provide inter-domain authentication services, it is necessary to have a standardized method that domains can use to identify each other's users. This document defines the syntax for the Network Access Identifier (NAI), the user identifier submitted by the client prior to accessing resources. This document is a revised version of RFC 4282. It addresses issues with international character sets and makes a number of other corrections to RFC 4282. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides a standard mechanism for support of multiple authentication methods. This document specifies the use of EAP-TLS with TLS 1.3 while remaining backwards compatible with existing implementations of EAP-TLS. TLS 1.3 provides significantly improved security and privacy, and reduced latency when compared to earlier versions of TLS. EAP-TLS with TLS 1.3 (EAP-TLS 1.3) further improves security and privacy by always providing forward secrecy, never disclosing the peer identity, and by mandating use of revocation checking when compared to EAP-TLS with earlier versions of TLS. This document also provides guidance on authentication, authorization, and resumption for EAP-TLS in general (regardless of the underlying TLS version used). This document updates RFC 5216. Informative References Ericsson RISE AB RISE AB Fraunhofer AISEC Ericsson The lightweight authenticated key exchange protocol Ephemeral Diffie- Hellman Over COSE (EDHOC) can be run over the Constrained Application Protocol (CoAP) and used by two peers to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol, by specifying a number of additional and optional mechanisms. These especially include an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context. The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. This document describes the architecture of the eduroam service for federated (wireless) network access in academia. The combination of IEEE 802.1X, the Extensible Authentication Protocol (EAP), and RADIUS that is used in eduroam provides a secure, scalable, and deployable service for roaming network access. The successful deployment of eduroam over the last decade in the educational sector may serve as an example for other sectors, hence this document. In particular, the initial architectural choices and selection of standards are described, along with the changes that were prompted by operational experience. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052). This document, along with RFC 9052, obsoletes RFC 8152. This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols. Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.

Acknowledgments The authors sincerely thank Eduardo Ingles-Sanchez for his contribution in the initial phase of this work. We also want to thank Francisco Lopez Gomez for his work on the implementation of EAP-EDHOC. This work has be possible partially by grant PID2020-112675RB-C44 funded by MCIN/AEI/10.13039/5011000011033.