Is there a way for authorization and authentication in CoAP on application layer?

Question

Is there a way for authentication and authorizaion in CoAP without DTLS and on the application layer?

score 4 · Answer 1 · edited Oct 07 '21 at 08:57

Yes there is: OSCORE (RFC8613) got released recently, and provides application-layer security that is end-to-end, can support multicast (separate document, quite stable but not an RFC yet) and can still use CoAP proxies for retransmission and fragmentation.

OSCORE on its own only provides the symmetric parts, so for authentication using certificates, raw public keys or to get perfect forward secrecy, you'll still need ... something (EDHOC was suggested to fill in those parts and is my favorite solution) -- but whether you need that really depends on your particular application.

As for authorization, you may want to look into CWT (RFC8392) (the Constrained version of JWT); further documents around that are in preparation.

score 1 · Answer 2 · answered Aug 01 '19 at 06:50

Well, you might have somehow encrypt your payload, craft a key exchange approach, etc. but it is a really bad idea unless you are a top security expert. Though even in this case, schemes widely unknown publicly are threat.

DTLS covers most of security issues in a proven way.

Why shouldn't we roll own [security scheme]?

score 1 · Answer 3 · answered Aug 10 '19 at 07:28

1

If you search for an alternative approach, I would strongly recommend, that you mention your intention doing so. Not that you fall from rain into storm.

So, do you have any hard drawbacks with DTLS?

DTLS has it's complexity and pitfalls. If other approaches, as OSCORE, competes better, depends on your criterias.

answered Aug 10 '19 at 07:28

Achim Kraus

729
1
7
11

Wow, I didn't know Californium team is working on integrating it. Thanks. – eugene-nikolaev Aug 14 '19 at 07:17

Is there a way for authorization and authentication in CoAP on application layer?

3 Answers3