leshan
leshan copied to clipboard
eclipse-leshan
OSCORE support in Leshan
This issue aims to centralize all about OSCORE integration in Leshan 2.0.0(LWM2M 1.1). Currently work is in progress leading by @rikard-sics, he also works on OSCORE integration in Californium.
See specification for more details :
- RFC8613 : Object Security for Constrained RESTful Environments (OSCORE)
- OSCORE in LWM2M 1.1
- end-to-end-security-for-the-internet-of-things page
The code will be available in a oscore branch, waiting we have a minimal viable feature which could be integrated in a 2.0.0 branch.
A minimal viable feature could be :
- OSCORE over coap at client side (see #726)
- OSCORE over coap at server side (see #727)
(Demo are not mandatory for a minimal viable feature but integration test should be there)
Tentative plan for next steps:
- Update code to use Californium 2.0.0-M17
- Implement an Identity and related things in SecurityChecker for OSCORE
- Work on the server side issues according to discussion in #727
- Add possibility of entering OSCORE context information as command line parameters for client
I have now created PR https://github.com/eclipse/leshan/pull/749 to update the code to use Californium 2.0.0-M17 instead. I will create a new PR to change the OSCORE context database to not be a singleton in Leshan anymore.
I have now made a PR that adds support for setting OSCORE related security parameters in command line arguments to the client here https://github.com/eclipse/leshan/pull/755
I add this link : https://omaspecworks.org/end-to-end-security-for-the-internet-of-things/ about this topic.
I add this link : https://omaspecworks.org/end-to-end-security-for-the-internet-of-things/ about this topic.
Thanks for providing a link to that document. Nice to see it also brings up ACE and EDHOC. I am following the work in the IETF LAKE working group (for creating a lightweight authenticated key exchange for OSCORE). ACE is also something we are using in various use cases.
Continuing the discussion from the last PR.
On a very high level the initial goal for me would be support for communicating with OSCORE between Client & Device Manager, communicating with OSCORE between Client & Bootstrap Server, and a Client being able receive bootstrapping information with OSCORE security material from the Bootstrap Server. Currently the first two points functionally work (but needs adjustments).
As a bit more detailed plan these are points I can think of:
- Rebase the current code on master
- Remove the ID Context input on client, Device Manager and Bootstrap Server
- Design and implement an OSCORE Store
- Implement bootstrapping to receive OSCORE security material
In the end I think it's better to rebase the code now, otherwise it would be even more potential conflicts in the future. As you mentioned in the last PR we should also discuss considerations related to the OSCORE store. I could create a separate issue about that.
In the end I think it's better to rebase the code now, otherwise it would be even more potential conflicts in the future.
About rebasing, maybe in practice it would be easier to cherry pick only needed commits (probably avoiding all which is not about OSCORE like SenML and californium integration?). Even with this, I bet this will be a complicated task because a lot of code changed and some classes was moved. Finally this is maybe even easier to just "rewrite"(copy/paste) the code.
As this will be really painful and as I feel myself a bit responsible for that. I would try to work on this. (unless you already find a magic way to do that ?)
As you mentioned in the last PR we should also discuss considerations related to the OSCORE store. I could create a separate issue about that.
:+1:
@rikard-sics I started to work on rebasing, I create a dedicated issue to discuss about that : #866
I have now created a PR to remove the ID context inputs as we discussed. See https://github.com/eclipse/leshan/pull/867
Some further comments now after the rebase. One thought I had was that it may be good to add some JUnit tests for OSCORE functionality?
Then I also realized an inconsistency. The way that Sender ID and Recipient ID are entered on the web UI for the Bootstrap Server and Management Server are opposite. Probably since the UI is for adding and configuring a new client it is better if the Sender ID and Recipient ID are from the client's point of view. I can make a change like that in the future.
So some further steps can be:
- Fix TODOs in the code
- Add JUnit tests
- Have consistent way in web UIs for adding Sender/Recipient ID
Also I will be fairly inactive now during August since I will be going on vacation.
So some further steps can be:
- Fix TODOs in the code
- Add JUnit tests
- Have consistent way in web UIs for adding Sender/Recipient ID
It sounds good to me.
Also I will be fairly inactive now during August since I will be going on vacation.
Me too at least the first 2 weeks of August :)
Just to summarize the lists of next steps above with the points taken care of removed:
- ~~Rebase the current code on master~~
- ~~Remove the ID Context input on client, Device Manager and Bootstrap Server~~
- Design and implement an OSCORE Store
- ~~Implement bootstrapping to receive OSCORE security material~~ (pending)
- Fix TODOs in the code
- Add JUnit tests
- Have consistent way in web UIs for adding Sender/Recipient ID
As you mentioned in the last PR we should also discuss considerations related to the OSCORE store. I could create a separate issue about that.
I have now created an issue for further discussion about an OSCORE store at https://github.com/eclipse/leshan/issues/920.
Hello Leshan Community.
Could anyone kindly help me to understand why I have faced the following fails when using server-client connections in OSCORE mode after the client is registered on the server.
-
None of the Objects (/1,/3,/6,/21,/3301) can be read via web interface. The 'Internal Server Error (unknown server)' message occurs above the Read button. No error messages in the server/client terminal. CoAP messages log for /6 Read: CON-POST + ACK-2.04 Detailed run and configuration steps/logs are attached - leshan_oscore_run_configuration_steps.txt
-
All OSCORE object resources can be executed only (/21/12345/0...5) leshan_object_21_resources
-
After the client registration, the client account on the server's 'Security' tab contains 'Client Endpoint' field only. 'Security Mode' and 'Security Information' fields are disappeared. leshan_security_tab
Could anyone kindly help me to understand why I have faced the following fails when using server-client connections in OSCORE mode after the client is registered on the server.
Hello. I have been working on adding OSCORE support to Leshan. Thank you for the feedback regarding this functionality. Let me try to reply to the points you list.
-
Yes unfortunately I am experiencing this also. Thanks for bringing this to my attention. It could be a regression introduced by some of the latest changes in the code or the rebasing on the master branch. I will look into this and try to solve it ASAP.
-
My understanding is that the OSCORE object on a client should not be readable from the LWM2M server. In fact it should probably not be in that list at all, even for Execute.
-
That should be because functionality to persist and present the OSCORE configuration for a client in the server web UI is currently missing. That is a TODO I have noted locally and aim to fix in a future update.
- None of the Objects (/1,/3,/6,/21,/3301) can be read via web interface. The 'Internal Server Error (unknown server)' message occurs above the Read button. No error messages in the server/client terminal. CoAP messages log for /6 Read: CON-POST + ACK-2.04 Detailed run and configuration steps/logs are attached - leshan_oscore_run_configuration_steps.txt
I have now submitted a pull request that should also solve this issue.
Rikard, thank you for the timely response and the fix! I checked it and confirm that Read/Write/Observe/Cancellation/Create/Delete operations work properly.
During the '*demo.jar' making process I faced the error on '[INFO] leshan - integration tests ......................... FAILURE [ 11.396 s]' step. But I succeed the making with '-fn' option. The log for debugging purpose with '-e -X' is here. mvn_install.zip
You mentioned that the OSCORE mode was added for DM account on the Bootstrap server and actually I could add it but NO_SEC mode is shown (due to it is not implemented yet). Is there a way to perform the Bootstrapping on the current stage from command line? bootstrap_web_interface_dm_oscore
Please ignore my question concerning the ability of the Bootstrap procedure. The client was successfully bootstrapped and reachable on DM server. The only issue is this 'Failed to retrieve OSCORE object linked from BS security object' line. Is it acceptable?
BS: java -jar leshan-bsserver-demo/target/leshan-bsserver-demo--SNAPSHOT-jar-with-dependencies.jar -lp 5693 -slp 5694 DM: java -jar leshan-server-demo/target/leshan-server-demo--SNAPSHOT-jar-with-dependencies.jar -wp 8081 Client: java -jar leshan-client-demo/target/leshan-client-demo-*-SNAPSHOT-jar-with-dependencies.jar -n oscore_client -b -u localhost:5693
2020-12-22 15:52:03,896 INFO LeshanClient - Starting Leshan client ... 2020-12-22 15:52:03,899 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object 2020-12-22 15:52:03,900 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object 2020-12-22 15:52:03,901 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object 2020-12-22 15:52:03,901 INFO LeshanClient - Leshan client[endpoint:oscore_client] started. 2020-12-22 15:52:03,901 INFO DefaultRegistrationEngine - Trying to start bootstrap session to coap://localhost:5693 ... 2020-12-22 15:52:03,958 INFO CaliforniumEndpointsManager - New endpoint created for server coap://localhost:5693 at coap://0.0.0.0:39767 2020-12-22 15:52:03,990 INFO DefaultRegistrationEngine - Bootstrap started 2020-12-22 15:52:04,004 DEBUG Security - Write on Security resource /0/0/0 .... 2020-12-22 15:52:04,006 DEBUG Security - Write on Security resource /0/0/12 2020-12-22 15:52:04,017 DEBUG Security - Write on Security resource /0/1/0 .... 2020-12-22 15:52:04,019 DEBUG Security - Write on Security resource /0/1/12 2020-12-22 15:52:04,019 DEBUG Security - Write on Security resource /0/1/17 2020-12-22 15:52:04,024 DEBUG Server - Write on Server resource /1/0/0 2020-12-22 15:52:04,025 DEBUG Server - Write on Server resource /1/0/1 2020-12-22 15:52:04,025 DEBUG Server - Write on Server resource /1/0/2 2020-12-22 15:52:04,025 DEBUG Server - Write on Server resource /1/0/6 2020-12-22 15:52:04,026 DEBUG Server - Write on Server resource /1/0/7 2020-12-22 15:52:04,029 DEBUG Security - Write on resource 0: LwM2mSingleResource [id=0, value=0102030405060708090a0b0c0d0e0f10, type=STRING] 2020-12-22 15:52:04,030 DEBUG Security - Write on resource 1: LwM2mSingleResource [id=1, value=01, type=STRING] 2020-12-22 15:52:04,030 DEBUG Security - Write on resource 2: LwM2mSingleResource [id=2, value=02, type=STRING] 2020-12-22 15:52:04,030 DEBUG Security - Write on resource 3: LwM2mSingleResource [id=3, value=10, type=INTEGER] 2020-12-22 15:52:04,030 DEBUG Security - Write on resource 4: LwM2mSingleResource [id=4, value=-10, type=INTEGER] 2020-12-22 15:52:04,031 DEBUG Security - Write on resource 5: LwM2mSingleResource [id=5, value=9e7ca92223786340, type=STRING] 2020-12-22 15:52:04,042 INFO DefaultRegistrationEngine - Bootstrap finished coap://localhost:5693. 2020-12-22 15:52:04,043 DEBUG Security - Read on resource 0 ... 2020-12-22 15:52:04,043 DEBUG Security - Read on resource 5 2020-12-22 15:52:04,044 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object 2020-12-22 15:52:04,045 INFO CaliforniumEndpointsManager - Adding OSCORE context for coap://localhost:5683 2020-12-22 15:52:04,119 INFO CaliforniumEndpointsManager - New endpoint created for server coap://localhost:5683 at coap://0.0.0.0:54988 2020-12-22 15:52:04,119 DEBUG Security - Read on resource 0 ... 2020-12-22 15:52:04,120 DEBUG Security - Read on resource 5 2020-12-22 15:52:04,120 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object 2020-12-22 15:52:04,120 INFO DefaultRegistrationEngine - Trying to register to coap://localhost:5683 ... 2020-12-22 15:52:04,147 INFO DefaultRegistrationEngine - Registered with location '/rd/h8JjIHYw3m'. 2020-12-22 15:52:04,148 INFO DefaultRegistrationEngine - Next registration update to coap://localhost:5683 in 53s... 2020-12-22 15:52:23,215 DEBUG Server - Read on Server resource /1/0/0 .... 2020-12-22 15:52:23,217 DEBUG Server - Read on Server resource /1/0/23
2020-12-22 15:52:03,899 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object 2020-12-22 15:52:03,900 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object 2020-12-22 15:52:03,901 ERROR ServersInfoExtractor - Failed to retrieve OSCORE object linked from BS security object
I guess it could be an issue relative to https://github.com/eclipse/leshan/pull/950#discussion_r545759146.
'[INFO] leshan - integration tests ......................... FAILURE [ 11.396 s]' step.
I also face the tests failure I this this is because of : https://github.com/eclipse/leshan/pull/950#discussion_r551228991
The client was successfully bootstrapped and reachable on DM server. The only issue is this 'Failed to retrieve OSCORE object linked from BS security object' line. Is it acceptable?
Thanks for the feedback. I have now updated the PR and code in my branch to fix this.
@rikard-sics We didn't get news from you since a long time. Hoping all is doing fine for you :slightly_smiling_face: Are you still working on OSCORE ?
@rikard-sics We didn't get news from you since a long time. Hoping all is doing fine for you Are you still working on OSCORE ?
Hello. Yes I am indeed working on OSCORE. Currently I am working on implementing usage of the OSCORE Appendix B.2 procedure when OSCORE is used in Leshan. It is specified in the LWM2M 1.1 Transport Bindings document section 5.5.3 that Appendix B.2 of OSCORE should be used.
Basically Appendix B.2 derives a new OSCORE Security Context (with new Sender and Recipient keys). The benefit this has is that if a LWM2M client reboots and starts using the same Security Context that it was originally configured with, it will not be using the same Sender Key while starting over from sequence number 0 (thus having nonce and key reuse). But rather it will first run Appendix B.2 to generate a new Context (Sender and Recipient keys) with the LWM2M Server or LWM2M Bootstrap server. So essentially every time the client connects the first time using OSCORE to a LWM2M Server or LWM2M Bootstrap server, Appendix B.2 will be run. See https://tools.ietf.org/html/rfc8613#appendix-B.2
However, the core functionality for Appendix B.2 is implemented in Californium. While trying to make use of this in Leshan I realized there was an issue in the Californium code, in the specific case the client takes initiative to run Appendix B.2 but the server is then the first to actually send a request afterwards (as will happen when bootstrapping or registering). So basically I am now working on the Californium code to fix this issue (and some other things about Appendix B.2). My aim is to have a PR created for Californium in the coming week. Then I will move over to implement this in Leshan (perhaps I can have an intermediate solution until Californium releases a new version).
One nice benefit of having this Appendix B.2 functionality-wise is also that currently if the client is restarted but the server is not, the server will complain about replayed messages. But since Appendix B.2 refreshes the security contexts this problem will no longer exist.
@rikard-sics @sbernard31 I am currently trying to implement OSCORE for wakaama. I would like to test my implementation in the near future against the leshan implementation. But I am absolutely not familiar with Java. There is currently no possibility to set OSCORE Credentials and Keying material over the webinterface. Or was I just not seeing it? Is there / or could you provide some (hopefully easy) explanation how I could add OSCORE security context to Leshan?
@rikard-sics @sbernard31 I am currently trying to implement OSCORE for wakaama. I would like to test my implementation in the near future against the leshan implementation. But I am absolutely not familiar with Java. There is currently no possibility to set OSCORE Credentials and Keying material over the webinterface. Or was I just not seeing it? Is there / or could you provide some (hopefully easy) explanation how I could add OSCORE security context to Leshan?
If you use the code from the "oscore"-branch there is a way to configure OSCORE security contexts both in the web interface of the bootstrap server and the server. For the client you can provide it using command line parameters.
Check the "oscore"-branch and we can discuss more if you have any further questions. I could for instance provide instructions on how to configure a basic test scenario using OSCORE with a client, bootstrap server and server.
As explained above : https://github.com/eclipse/leshan/issues/725#issuecomment-811974435, there is still some limitation and probably some remaining bug so please do not hesitate to share any issue you face.
As explained above : #725 (comment), there is still some limitation and probably some remaining bug so please do not hesitate to share any issue you face.
@LukasKarel Yes please feel free to share any issues you encounter. And as you can see in that comment above, for instance Appendix B.2 support is not yet added to Leshan (whereas the LWM2M 1.1 spec states that it shall be used). So if you have Appendix B.2 support in your underlying OSCORE implementation it is better to not use it towards the bootstrap server and server for now. (I am working on adding this support to Leshan.)
Thank you both for your fast replies. I was able to add a OSCORE Context to Leshan. Thank you! I am not sure why it did not work the first time.
@rikard-sics I encountered two issues. Please download LeshanOscore.zip for traces. In leshan_leshanclient.pcapng I used Leshan Demo Client to verify OSCORE functionality (because of the next issue). The OSCORE object (Id 21) is reported in the registration payload. Which should be not the case according to LWM2M Spec 1.1 6.2.1 Register. But requests are encrypted with OSCORE as expected. The second issue occurs if I try to use my implementation based on wakaama (leshan_oscore.pcapng). Registration and registration updates are working like expected. But if I want to read a resource, the server sends an plain CoAP request. How does the server decide if OSCORE or CoAP should be used for requests? I am not sure if credentials are saved with the trace: Master Secret : 0102030405060708090a0b0c0d0e0f10 Master Salt : Sender ID : 00 Recipient ID : 01 AEAD Algorithm : AES_CCM_16_64_128 HKDF Algorithm : HKDF_HMAC_SHA_256