zephyrproject-rtos / zephyr

Primary Git Repository for the Zephyr Project. Zephyr is a new generation, scalable, optimized, secure RTOS for multiple hardware architectures.
https://docs.zephyrproject.org
Apache License 2.0
10.81k stars 6.59k forks source link

Add support for CBOR Object Signing and Encryption (COSE) #21545

Open lindemer opened 4 years ago

lindemer commented 4 years ago

Introduction

There are a number of new standards for IoT security under development at IETF which depend on CBOR Object Signing and Encryption, or COSE (see IETF RFC 8152). This is the CBOR equivalent of JSON Web Encryption (see IETF RFC 7516). Adding a COSE library is a necessary prerequisite before the following new or proposed IETF standards can be implemented in Zephyr:

There is a growing interest in the above protocols from security researchers and certification bodies (at least in the EU), and it would be great to see this key building block available in Zephyr so others can get involved on testing implementations.

Detailed RFC

There are few existing implementations of COSE, and none are built on the encryption and CBOR libraries supported in Zephyr (i.e., TinyCrypt and tinyCBOR). It would appear that the most expedient approach is to start a new implementation from scratch.

Proposed change (Detailed)

All of the prerequisite building blocks for COSE should exist in TinyCrypt and tinyCBOR. It seems appropriate to add the new source code in the same directories as the existing JSON source code, given the number of parallels between the two:

Concerns and Unresolved Questions

My work in the near future will depend on a working COSE implementation in Zephyr. I am new to this community and I'd appreciate any feedback, and to hear from anyone interested before I get started working on this. (In particular, whether the file structure described above is appropriate for this type of feature addition.)

lindemer commented 4 years ago

I have a partial COSE implementation available as an external Zephyr module for anyone interested.

jjmilburn commented 4 years ago

Interesting! I'll be watching this for MAC/MAC0 support if that gets rolled in.

carlescufi commented 3 years ago

I have a partial COSE implementation available as an external Zephyr module for anyone interested.

@lindemer would you be willing to submit this to Zephyr as a Pull Request? We are interested in COSE and would likely review and contribute.

carlescufi commented 3 years ago

@rlubos just found this: https://github.com/Fraunhofer-AISEC/c_OSCORE @oberien would you be interested in contributing OSCORE to Zephyr?

lindemer commented 3 years ago

@carlescufi Are you mainly interested in OSCORE or do you need a generic COSE implementation? If it's the latter case I can work on this a bit and submit it. My COSE implementation depends on an LGPL 2.1-licensed CBOR library so I could use some clarification on whether that's compatible with Apache 2.0.

StefanHri commented 3 years ago

@carlescufi and @oberien c_OSCORE was developed at Fraunhofer AISEC as a Student project. Meanwhile, we further developed and extended it. The new version is still not on GitHub but we plan to do that in the next weeks.

Are you also interested in EDHOC? EDHOC can be used to establish symmetric keys for OSCORE. We have also an EDHOC implementation that together with OSCORE forms a light alternative to DTLS.

We will be happy to contribute both OSCORE and EDHOC to ZephyrOS. Are you interested?

carlescufi commented 3 years ago

@carlescufi Are you mainly interested in OSCORE or do you need a generic COSE implementation? If it's the latter case I can work on this a bit and submit it. My COSE implementation depends on an LGPL 2.1-licensed CBOR library so I could use some clarification on whether that's compatible with Apache 2.0.

@lindemer We're mostly interested in OSCORE, but having a COSE that is not bound to it would be preferable. Unfortunately we cannot accept any copyleft licenses (including LGPL) in the main Zephyr tree, so using that CBOR library is not an option for this work to be included in the main upstream repository. Let us also discuss with @StefanHri and see where we can go from here.

carlescufi commented 3 years ago

@carlescufi and @oberien c_OSCORE was developed at Fraunhofer AISEC as a Student project. Meanwhile, we further developed and extended it. The new version is still not on GitHub but we plan to do that in the next weeks.

Great to hear, thanks for the info

Are you also interested in EDHOC? EDHOC can be used to establish symmetric keys for OSCORE. We have also an EDHOC implementation that together with OSCORE forms a light alternative to DTLS.

Yes, we are indeed interested in EDHOC as well.

We will be happy to contribute both OSCORE and EDHOC to ZephyrOS. Are you interested?

Absolutely. Assuming your code uses a compatible license, I think this should go in the main tree, and not as a module. Ideally we´d need it to be licensed under the same Apache v2 license we use for the rest. Here is what I (on behalf of Nordic) can offer to help out in the effort: