Add Sequence Token Generator ?

[sbernard31]

I understand that current default TokenGenerator is random based.

Looking at 4.2. Updated Token Processing Requirements for Clients , It seems that recommended way is a sequence number.

When CoAP is used with a security protocol not providing bindings between requests and responses, the Tokens have cryptographic importance. The client MUST make sure that Tokens are not used in a way so that responses risk being associated with the wrong request.

One easy way to accomplish this is to implement the Token (or part of the Token) as a sequence number, starting at zero for each new or rekeyed secure connection. This approach SHOULD be followed.

Do you think that SequenceGenerator should be added and/or maybe use as default ?

[boaks]

It seems that recommended way is a sequence number.

And previously, it was a random.

Do you think that SequenceGenerator should be added and/or maybe use as default ?

If you like to add one, OK. I don't think, it makes sense to use it as default. Anyway, it's easy to define it as application specific default, if someone wants that.

[boaks]

By the way, assuming that such an attack would make only sense say within 24h. How many, say 4 bytes token are emitted usually in 24h per device? What will be the probability, that one of 4 byte tokens are reused within 24h? And just to say, if the DTLS sequence number receive window is enabled, what will be left of that attack?

[boaks]

The API is able to work with a custom implementation of TokenGenerator. If someone is interested, please go for it. In the case someone wants to contribute it, that will be welcome.