7.5 Sensitive Cryptographic Functions
7.5.1 <cipher> resource
7.5.1.0 Introduction
Secure Environments shall provide a service for cryptographic operations. A <cipher> resource shall represent sensitive data and related information owned by a creator.
The <cipher> resource shall contain the child resources specified in table 7.5.1.0-1.
Table 7.5.1.0-1: Child resources of <cipher> resource
| Child Resources of <cipher> | Child Resource Type | Multiplicity | Description |
|---|---|---|---|
| encrypt | <encrypt> | 1 | See clause 7.5.1.2 |
| decrypt | <decrypt> | 1 | See clause 7.5.1.3 |
| generateKey | <generateKey> | 0..1 | See clause 7.5.1.4 |
| algorithmSpecificParameter | <algorithmSpecificParameter> | 0..1 | See clause 7.5.1.5 |
Attributes in <cipher> are shown in table 7.5.1.0-2.
Table 7.5.1.0-2: Attributes of <cipher> resource
| Attributes of <signature> | Multiplicity | RW/ RO/ WO |
Description |
|---|---|---|---|
| resourceType | 1 | RO | Defines the resource type. |
| resourceID | 1 | RO | Defines an identifier for the resource. This attribute shall be provided by the creator. The creator shall assign a resourceID which is unique within its context. |
| resourceName | 1 | WO | This attribute is the name for the resource that is used for 'hierarchical addressing method' to represent the parent-child relationships of resources. |
| parentID | 1 | RO | This attribute is the resourceID of the parent of this resource. |
| expirationTime | 1 | RW | Time/date after which the resource will be deleted by the Hosting CSE. |
| accessControlPolicyIDs | 0..1 (L) | RW | Is used to control access to the resource. If no accessControlPolicyIDs are provided at the time of creation, the accessControlPolicyIDs of the parent resource is linked to this attribute. |
| creationTime | 1 | RO | Time/date of creation of the resource. The creationTime is set by the CSE hosting the SE when the resource is created. |
| lastModifiedTime | 1 | RO | Last modification time/date of the resource. This attribute is mandatory. The lastModifiedTime value is set by the Hosting CSE when the resource is created, and the lastModifiedTime value is updated when the resource is updated. |
| sensitiveData | 0..1 | RW | Message to be either encrypted or decrypted. |
| currentByteSize | 1 | RW | Current size in bytes of sensitive data. |
| maxByteSize | 1 | RO | Maximum size in bytes of sensitive data. |
| algorithm | 1 | WO | Contains the algorithm type of the resource instance. |
| keyData | 0..1 | WO | Contains the value of the key. |
| calculatedData | 0..1 | RO | Contains the result of a cipher operation. |
Table 7.5.1.0-3: Data types of <cipher> resource specific attributes
| Name |
Request Optionality | Data type |
|
|---|---|---|---|
| Create | Update | ||
| sensitiveData | O | O | xs:byte |
| algorithm | M | NP | senv:cipherAlgorithm |
| keyData | O | NP | xs:byte |
| currentByteSize | O | O | xs:nonNegativeInteger |
| maxByteSize | M | NP | xs:nonNegativeInteger |
| calculatedData | NP | NP | xs:byte |
The following types are defined for the algorithm attribute:
- ALG_AEAD_AES_128_GCM: The AEAD_AES_128_GCM authenticated encryption algorithm works as specified in IETF RFC 5116 [8], using AES-128 as the block cipher, by providing the key, nonce, and plaintext, and associated data to that mode of operation.
- ALG_AEAD_AES_256_GCM: This algorithm is identical to AEAD_AES_128_GCM, but with the following differences: K_LEN is 32 octets, instead of 16 octets, and AES-256 GCM is used instead of AES128 GCM.
- ALG_AEAD_AES_128_CCM: The AEAD_AES_128_CCM authenticated encryption algorithm works as specified in IETF RFC 5116 [8], using AES-128 as the block cipher, by providing the key, nonce, associated data, and plaintext to that mode of operation.
- ALG_AEAD_AES_256_CCM: This algorithm is identical to AEAD_AES_128_CCM, but with the following differences: K_LEN is 32 octets, instead of 16, and AES-256 CCM is used instead of AES-128 CCM.
- ALG_AEAD_AES_128_CCM_8: The AEAD_AES_128_CCM_8 authenticated encryption algorithm is identical to the AEAD_AES_128_CCM algorithm (see section 5.3 of IETF RFC 5116 [8]), except that it uses 8 octets for authentication, instead of the full 16 octets used by AEAD_AES_128_CCM (see section 6.1 of IETF RFC 6655 [9]).
- ALG_AEAD_AES_256_CCM_8: The AEAD_AES_256_CCM_8 authenticated encryption algorithm is identical to the AEAD_AES_256_CCM algorithm (see section 5.4 of IETF RFC 5116 [8]), except that it uses 8 octets for authentication, instead of the full 16 octets used by AEAD_AES_256_CCM (see section 6.2 of IETF RFC 6655 [9]).
- ALG_AES_BLOCK_128_CBC_NOPAD : Cipher algorithm ALG_AES_BLOCK_128_CBC_NOPAD provides a cipher using AES with block size 128 in CBC mode and does not pad input data.
- ALG_AES_CBC_ISO9797_M1: Cipher algorithm ALG_AES_CBC_ISO9797_M1 provides a cipher using AES with block size 128 in CBC mode, and pads input data according to the ISO 9797 [10] method 1 scheme.
- ALG_AES_CBC_ISO9797_M2: Cipher algorithm ALG_AES_CBC_ISO9797_M2 provides a cipher using AES with block size 128 in CBC mode, and pads input data according to the ISO 9797 [10] method 2 (ISO 7816-4 [i.3], EMV'96) scheme.
- ALG_AES_CBC_PKCS5: Cipher algorithm ALG_AES_CBC_PKCS5 provides a cipher using AES with block size 128 in CBC mode, and pads input data according to the PKCS#5 scheme.
7.5.1.1 <cipher> Resource Procedures
7.5.1.1.1 CREATE <cipher>
This procedure shall be used for creating a <cipher> resource.
Table 7.5.1.1.1-1: <cipher> CREATE
| <cipher> CREATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2]. apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID/CSE-ID Content: The resource content shall provide the information as defined in clause 7.5.1 |
| Processing at Originator before sending Request | According to clause 10.1.1.1 of oneM2M TS-0001 [2]. |
| Processing at Receiver | According to clause 10.1.1.1.of oneM2M TS-0001 [2]. |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2]. apply with the specific details for: Content: Address of the created <cipher> resource, according to clause 10.1.1.1 of oneM2M TS-0001 [2]. |
| Processing at Originator after receiving Response | According to clause 10.1.1.1 of oneM2M TS-0001 [2]. |
| Exceptions | According to clause 10.1.1.1 of oneM2M TS-0001 [2]. |
If <generateKey> is created, the key to be used will be generated and stored in keyData.
7.5.1.1.2 RETRIEVE <cipher>
This procedure shall be used for retrieving the generated output from all/last input data of the <Cipher> resource.
Table 7.5.1.1.2-1: <cipher> RETRIEVE
| <cipher> RETRIEVE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
According to clause 10.1.2 of oneM2M TS-0001 [2] with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID/CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with specific details for: Content: Attributes of the <cipher> resources as defined in clause 7.5.1 |
| Processing at Originator after receiving Response | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.2 of oneM2M TS-0001 [2] |
7.5.1.1.3 UPDATE <cipher>
This procedure shall be used for updating the <cipher> resource with data to encrypt or decrypt. It may be necessary to use this procedure several times until all data is transmitted.
Table 7.5.1.1.3-1: <cipher> UPDATE
| <cipher> UPDATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE-hosted AE-ID/CSE-ID Content: attributes of the <cipher> resource as defined in clause 7.5.1 which need be updated |
| Processing at Originator before sending Request | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.3 of oneM2M TS-0001 [2] |
7.5.1.1.4 DELETE <cipher>
This procedure shall be used for deleting a <cipher> resource.
Table 7.5.1.1.4-1: <cipher> DELETE
| <cipher> DELETE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID/CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
7.5.1.2 <encrypt> Resource
The <encrypt> resource is a virtual resource because it does not have a representation. It is the child resource of a <cipher> resource. When a RETRIEVE request addresses the <encrypt> resource, the sensitiveData of the <cipher> resource shall be encrypted and the result shall be stored in calculatedData .
The <encrypt> resource inherits access control policies that apply to the parent <cipher> resource.
7.5.1.3 <decrypt> Resource
The <decrypt> resource is a virtual resource because it does not have a representation. It is the child resource of a <cipher> resource. When a RETRIEVE request addresses the <decrypt> resource, the sensitiveData of the <cipher> resource shall be decrypted and the result shall be stored in calculatedData .
The <decrypt> resource inherits access control policies that apply to the parent <cipher> resource.
7.5.1.4 <generateKey> Resource
The <generateKey> resource is a virtual resource because it does not have a representation. When a RETRIEVE request addresses the <generateKey> resource, the keyData attribute shall be filled with a key generated according to the algorithm attribute.
The <generateKey> resource inherits access control policies that apply to the parent resource.
7.5.1.5 <algorithmSpecificParameter> Resource
The <algorithmSpecificParameter> contains parameter required for the different algorithm.
The <algorithmSpecificParameter> resource shall inherit the same access control policies of the parent <cipher> resource, and shall not have its own accessControlPolicyIDs attribute.
Attributes in <algorithmSpecificParameter> are shown in table 7.5.1.5-1.
Table 7.5.1.5-1: Attributes of_<algorithmSpecificParameter>_ resource
| Attributes of <algorithmSpecificParameter> | Multiplicity | RW/ RO/ WO |
Description |
|---|---|---|---|
| resourceType | 1 | RO | Defines the resource type. |
| resourceID | 1 | RO | Defines an identifier for the resource. This attribute shall be provided by the creator. The creator shall assign a resourceID which is unique within its context. |
| resourceName | 1 | WO | This attribute is the name for the resource that is used for 'hierarchical addressing method' to represent the parent-child relationships of resources. |
| parentID | 1 | RO | This attribute is the resourceID of the parent of this resource. |
| expirationTime | 1 | RW | Time/date after which the resource will be deleted by the Hosting CSE. |
| accessControlPolicyIDs | 0..1 (L) | RW | Is used to control access to the resource. If no accessControlPolicyIDs are provided at the time of creation, the accessControlPolicyIDs of the parent resource is linked to this attribute |
| creationTime | 1 | RO | Time/date of creation of the resource. The creationTime is set by the CSE hosting the SE when the resource is created. |
| lastModifiedTime | 1 | RO | Last modification time/date of the resource. This attribute is mandatory. The lastModifiedTime value is set by the Hosting CSE when the resource is created, and the lastModifiedTime value is updated when the resource is updated. |
| initialVector | 0..1 | RW | AES algorithms, except for ALG_AES_CMAC_128, in CBC mode expect a 16-byte parameter value for the initialization vector (IV). |
| Nonce | 0..1 | RW | a value for the nonce as expected by AEAD algorithm |
| associatedData | 0..1 | RW | The associated data for AEAD algorithm, which contains the data to be authenticated, but not encrypted. |
| Label | 0..1 | RW | "EXPORTER-oneM2M-Bootstrap" for TLS Key Export for Enrolment Key. "EXPORTER-oneM2M-Connection" for TLS Key Export for M2M Secure Connection Key. |
Table 7.5.1.5-2: Data types of <algorithmSpecificParameter> resource specific attributes
| Name. |
Request Optionality | Data type. |
|
|---|---|---|---|
| Create | Update | ||
| initialVector | O | O | xs:byte |
| nonce | O | O | xs:byte |
| associatedData | O | O | xs:byte |
| label | O | O | senv:cipherLabel |
7.5.2 <rand> resource
7.5.2.0 Introduction
A <rand> resource shall represent random data owned by a creator.
The <rand> resource shall contain the child resources specified in table 7.5.2.0-1.
Table 7.5.2.0-1: Child resources of <rand> resource
| Child Resources of <rand> | Child Resource Type | Multiplicity | Description | <randAnnc> Child Resource Types |
|---|---|---|---|---|
| generateRand | <generateRand> | 1 | See clause 7.5.2.2 | None |
Attributes in <rand> are shown in table 7.5.2.0-2.
Table 7.5.2.0-2: Attributes of <rand> resource
| Attributes of <rand> | Multiplicity | RW/ RO/ WO |
Description |
|---|---|---|---|
| resourceType | 1 | RO | Defines the resource type. |
| resourceID | 1 | RO | Defines an identifier for the resource. This attribute shall be provided by the creator. The creator shall assign a resourceID which is unique within its context. |
| resourceName | 1 | WO | This attribute is the name for the resource that is used for 'hierarchical addressing method' to represent the parent-child relationships of resources. |
| parentID | 1 | RO | This attribute is the resourceID of the parent of this resource. |
| expirationTime | 1 | RW | Time/date after which the resource will be deleted by the Hosting CSE. |
| accessControlPolicyIDs | 0..1 (L) | RW | Is used to control access to the resource. If no accessControlPolicyIDs are provided at the time of creation, the accessControlPolicyIDs of the parent resource is linked to this attribute. |
| creationTime | 1 | RO | Time/date of creation of the resource. The creationTime is set by the CSE hosting the SE when the resource is created. |
| lastModifiedTime | 1 | RO | Last modification time/date of the resource. This attribute is mandatory. The lastModifiedTime value is set by the Hosting CSE when the resource is created, and the lastModifiedTime value is updated when the resource is updated. |
| randomData | 0..1 | RO | Contains random data which can be retrieved by the creator. |
| rngType | 1 | WO | The following types of RNGs can be requested according to ISO/IEC 18031 [13]: pseudo RNG or true (physical) RNG. |
| requestedDataSize | 0..1 | RW | Requested amount of randomData in Bytes. |
Table 7.5.2.0-3: Data types of <rand> resource specific attributes
| Name. |
Request Optionality | Data type. |
|
|---|---|---|---|
| Create | Update | ||
| randomData | NP | NP | xs:byte |
| rngType | M | NP | senv:rngType |
| requestedDataSize | O | O | xs:nonNegativeInteger |
7.5.2.1 <rand> Resource Procedures
7.5.2.1.1 CREATE <rand>
This procedure shall be used for creating a <rand> resource.
Table 7.5.2.1.1-1: <rand> CREATE
| <rand> CREATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content: The resource content shall provide the information as defined in clause 7.5.2 |
| Processing at Originator before sending Request | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with the specific details for: Content: Address of the created <cipher> resource, according to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
7.5.2.1.2 RETRIEVE <rand>
This procedure shall be used for retrieving the random numbers.
Table 7.5.2.1.2-1: <rand> RETRIEVE
| <rand> RETRIEVE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
According to clause 10.1.2 of oneM2M TS-0001 [2] with the specific details for To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with specific details for: Content: Attributes of the <rand> resources as defined in clause 7.5.2 |
| Processing at Originator after receiving Response | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.2 of oneM2M TS-0001 [2] |
7.5.2.1.3 UPDATE <rand>
This procedure shall be used for setting the amount of random data which is requested.
Table 7.5.2.1.3-1: <rand> UPDATE
| <rand> UPDATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content: attributes of the <rand> resource as defined in clause 7.5.2 which need be updated |
| Processing at Originator before sending Request | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.3 of oneM2M TS-0001 [2] |
7.5.2.1.4 DELETE <rand>
This procedure shall be used for deleting a <rand> resource.
Table 7.5.2.1.4-1: <rand_>_ DELETE
| <rand> DELETE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
7.5.2.2 <generateRand> Resource
The <generateRand> resource is a virtual resource because it does not have a representation. When a RETRIEVE request addresses the <generateRand> resource, the randomData attribute shall be filled with random numbers from a random number generator according to the rngType attribute.
The <generateRand> resource inherits access control policies that apply to the parent resource.
7.5.3 <hash> resource
7.5.3.0 Introduction
Secure Environments shall provide a service for calculating hashes. A <hash> resource shall represent sensitive data and related information owned by a creator.
The <hash> resource shall contain the child resources specified in table 7.5.3.0-1.
Table 7.5.3.0-1: Child resources of <hash> resource
| Child Resources of <hash> | Child Resource Type | Multiplicity | Description | <hashAnnc> Child Resource Types |
|---|---|---|---|---|
| calculateHash | <calculateHash> | 1 | See clause 7.5.3.2 | None |
Attributes in <hash> are shown in table 7.5.3.0-2.
Table 7.5.3.0-2: Attributes of <hash_>_ resource
| Attributes of <hash> | Multiplicity | RW/ RO/ WO |
Description |
|---|---|---|---|
| resourceType | 1 | RO | Defines the resource type. |
| resourceID | 1 | RO | Defines an identifier for the resource. This attribute shall be provided by the creator. The creator shall assign a resourceID which is unique within its context. |
| resourceName | 1 | WO | This attribute is the name for the resource that is used for 'hierarchical addressing method' to represent the parent-child relationships of resources. |
| parentID | 1 | RO | This attribute is the resourceID of the parent of this resource. |
| expirationTime | 1 | RW | Time/date after which the resource will be deleted by the Hosting CSE. |
| accessControlPolicyIDs | 0..1 (L) | RW | Is used to control access to the resource. If no accessControlPolicyIDs are provided at the time of creation, the accessControlPolicyIDs of the parent resource is linked to this attribute. |
| creationTime | 1 | RO | Time/date of creation of the resource. The creationTime is set by the CSE hosting the SE when the resource is created. |
| lastModifiedTime | 1 | RO | Last modification time/date of the resource. This attribute is mandatory. The lastModifiedTime value is set by the Hosting CSE when the resource is created, and the lastModifiedTime value is updated when the resource is updated. |
| algorithm | 1 | WO | Specifies the algorithm for the hash. |
| message | 0..1 | RW | The message which is to be hashed. |
| hashValue | 0..1 | RO | Is the calculated Hash. |
Table 7.5.3.0-3: Data types of <hash> resource specific attributes
| Name. |
Request Optionality | Data type. |
|
|---|---|---|---|
| Create | Update | ||
| algorithm | M | NP | senv:hashAlgorithm |
| message | O | O | xs:byte |
| hashValue | NP | NP | xs:byte |
The following types are defined as algorithm types:
- SHA256;
- SHA384;
- SHA512.
7.5.3.1 <hash> Resource Procedures
7.5.3.1.1 CREATE <hash>
This procedure shall be used for creating a <hash> resource.
Table 7.5.3.1.1-1: <hash> CREATE
| <hash> CREATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content: The resource content shall provide the information as defined in clause 7.5.3 |
| Processing at Originator before sending Request | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with the specific details for: Content: Address of the created <hash> resource, according to clause 10.1.1.1.of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
7.5.3.1.2 RETRIEVE <hash>
This procedure shall be used for retrieving the calculated hash.
Table 7.5.3.1.2-1: <hash> RETRIEVE
| <hash> RETRIEVE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
According to clause 10.1.2 of oneM2M TS-0001 [2] with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with specific details for: Content: Attributes of the <hash> resources as defined in clause 7.5.3 |
| Processing at Originator after receiving Response | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.2 of oneM2M TS-0001 [2] |
7.5.3.1.3 UPDATE <hash>
This procedure shall be used for updating the <hash> resource with data to be hashed.
Table 7.5.3.1.3-1: <hash> UPDATE
| <hash> UPDATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content = attributes of the <hash> resource as defined in clause 7.5.3 which need be updated |
| Processing at Originator before sending Request | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.3 of oneM2M TS-0001 [2] |
7.5.3.1.4 DELETE <hash>
This procedure shall be used for deleting a <hash> resource.
Table 7.5.3.1.4-1: <hash> DELETE
| <hash> DELETE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
7.5.3.2 <calculateHash> Resource
The <calculateHash> resource is a virtual resource because it does not have a representation. When a RETRIEVE request addresses the <calculateHash> resource, the hashValue attribute shall be filled with the hash calculated over the data in the message attribute according to the algorithm attribute.
The <calculateHash> resource inherits access control policies that apply to the parent resource.
7.5.4 <signature> resource
7.5.4.0 Introduction
Secure Environments shall provide a service for signing messages and verifying signatures. A <signature> resource shall represent sensitive data and related information owned by a creator.
The <signature> resource shall contain the child resources specified in table 7.5.4.0-1.
Table 7.5.4.0-1: Child resources of <signature> resource
| Child Resources of <signature> | Child Resource Type | Multiplicity | Description | <signatureAnnc> Child Resource Types |
|---|---|---|---|---|
| calculateSignature | <calculateSignature> | 1 | See clause 7.5.4.2 | None |
| verifySignature | <verifySignature> | 1 | See clause 7.5.4.3 | None |
| generateKey | <generateKey> | 0..1 | See clause 7.5.4.4 | None |
Attributes in <Signature> are shown in table 7.5.4.0-2.
Table 7.5.4.0-2: Attributes of <signature> resource
| Attributes of <signature> | Multiplicity | RW/ RO/ WO |
Description |
|---|---|---|---|
| resourceType | 1 | RO | Defines the resource type. |
| resourceID | 1 | RO | Defines an identifier for the resource. This attribute shall be provided by the creator. The creator shall assign a resourceID which is unique within its context. |
| resourceName | 1 | WO | This attribute is the name for the resource that is used for 'hierarchical addressing method' to represent the parent-child relationships of resources. |
| parentID | 1 | RO | This attribute is the resourceID of the parent of this resource. |
| expirationTime | 1 | RW | Time/date after which the resource will be deleted by the Hosting CSE. |
| accessControlPolicyIDs | 0..1 (L) | RW | Is used to control access to the resource. If no accessControlPolicyIDs are provided at the time of creation, the accessControlPolicyIDs of the parent resource is linked to this attribute. |
| creationTime | 1 | RO | Time/date of creation of the resource. The creationTime is set by the CSE hosting the SE when the resource is created. |
| lastModifiedTime | 1 | RO | Last modification time/date of the resource. This attribute is mandatory. The lastModifiedTime value is set by the Hosting CSE when the resource is created, and the lastModifiedTime value is updated when the resource is updated. |
| message | 0..1 | RW | Message either to be signed or to be used to verify a signature, this could be alternatively a hash value. |
| algorithm | 1 | WO | Contains the algorithm type of the resource instance. |
| keyData | 0..1 | WO | Contains the value of the key. |
| keyInformation | 0..1 | RW | Contains information about the key like a certificate. |
| signature | 0..1 | RW | Contains the signature either to be calculated or to be verified. |
| verificationResult | 0..1 | RO | Contains the result of a signature verification operation. |
Table 7.5.4.0-3: Data types of <signature> resource specific attributes
| Name. |
Request Optionality | Data type |
|
|---|---|---|---|
| Create | Update | ||
| message | O | O | xs:byte |
| algorithm | M | NP | senv:signatureAlgorithm |
| keyData | O | NP | xs:byte |
| keyInformation | O | O | xs:anyType |
| signature | O | O | xs:byte |
| verificationResult | NP | NP | xs:boolean |
The following types are defined for the algorithm attribute:
- ALG_AES_CMAC_128 : Signature algorithm ALG_AES_CMAC_128 generates a 16-byte Cipher-based MAC (CMAC) using AES with blocksize 128 in CBC mode with ISO9797_M2 padding scheme.
- ALG_AES_MAC_128_NOPAD :Signature algorithm ALG_AES_MAC_128_NOPAD generates a 16byte MAC using AES with blocksize 128 in CBC mode and does not pad input data.
- ALG_ECDSA_SHA_256 :Signature algorithm ALG_ECDSA_SHA_256 generates a 32-byte SHA256 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-256 curve specified in the Digital Signature Standards specification NIST FIPS PUB 186-4 [11].
- ALG_ECDSA_SHA_384 :Signature algorithm ALG_ECDSA_SHA_384 generates a 48-byte SHA-384 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-384 curve specified in the Digital Signature Standards specification NIST FIPS PUB 186-4 [11].
- ALG_ECDSA_SHA_512 :Signature algorithm ALG_ECDSA_SHA_512 generates a 64-byte SHA-512 digest and signs/verifies the digest using ECDSA with the curve defined in the ECKey parameters - such as the P-521 curve specified in the Digital Signature Standards specification NIST FIPS PUB 186-4 [11].
- ALG_HMAC_SHA_256 :HMAC message authentication algorithm ALG_HMAC_SHA_256 This algorithm generates an HMAC following the steps found in IETF RFC 2104 [12] using SHA-256 as the hashing algorithm.
- ALG_HMAC_SHA_384 :HMAC message authentication algorithm ALG_HMAC_SHA_384 This algorithm generates an HMAC following the steps found in IETF RFC 2104 [12] using SHA-384 as the hashing algorithm.
- ALG_HMAC_SHA_512 :HMAC message authentication algorithm ALG_HMAC_SHA_512 This algorithm generates an HMAC following the steps found in IETF RFC 2104 [12] using SHA-512 as the hashing algorithm.
7.5.4.1 <signature> Resource Procedures
7.5.4.1.1 CREATE <signature>
This procedure shall be used for creating a <signature> resource.
Table 7.5.4.1.1-1: <signature> CREATE
| <Signature> CREATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content: The resource content shall provide the information as defined in clause 7.5.1 |
| Processing at Originator before sending Request | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with the specific details for: Content: Address of the created <signature> resource, according to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.1.1 of oneM2M TS-0001 [2] |
If <generateKey > is created, the key to be used shall be generated and stored in keyData, in such a case keyInformation shall be filled with the public part of the generated key.
7.5.4.1.2 RETRIEVE <signature>
This procedure shall be used for retrieving either the calculated signature of the <Signature> resource or the result of the verification of a signature.
Table 7.5.4.1.2-1: <signature> RETRIEVE
| <signature> RETRIEVE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
According to clause 10.1.2 of oneM2M TS-0001 [2] with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Information in Response message |
All parameters defined in table 8.1.3-1 of oneM2M TS-0001 [2] apply with specific details for: Content: Attributes of the <signature> resources as defined in clause 7.5.4 |
| Processing at Originator after receiving Response | According to clause 10.1.2 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.2 of oneM2M TS-0001 [2] |
7.5.4.1.3 UPDATE <signature>
This procedure shall be used for updating the <signature> resource with the message to be signed or to be verified and in the case of verification the signature to be verified.
Table 7.5.4.1.3-1: <signature> UPDATE
| <signature> UPDATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID Content: attributes of the <signature> resource as defined in clause 7.5.4 which need be updated |
| Processing at Originator before sending Request | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.3 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.3 of oneM2M TS-0001 [2] |
7.5.4.1.4 DELETE <signature>
This procedure shall be used for deleting a <signature> resource.
Table 7.5.4.1.4-1: <signature> DELETE
| <signature> DELETE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
All parameters defined in table 8.1.2-3 of oneM2M TS-0001 [2] apply with the specific details for: To: contains M2M-SE-ID or SE hosted AE-ID or CSE-ID |
| Processing at Originator before sending Request | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Receiver | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Information in Response message | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Processing at Originator after receiving Response | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
| Exceptions | According to clause 10.1.4.1 of oneM2M TS-0001 [2] |
7.5.4.2 <calculateSignature> Resource
The <calculateSignature> resource is a virtual resource because it does not have a representation. It is the child resource of a <signature> resource. When a RETRIEVE request addresses the <calculateSignature> resource, the signature shall be calculated and written in the signature attribute of the <signature> resource.
The <calculateSignature> resource inherits access control policies that apply to the parent <signature> resource.
7.5.4.3 <verifySignature> Resource
The <verifySignature> resource is a virtual resource because it does not have a representation. It is the child resource of a <signature> resource. When a RETRIEVE request addresses the <verifySignature> resource, signature attribute of the <signature> resource shall be verified and the result shall be stored in verificationResult .
The <verifySignature> resource inherits access control policies that apply to the parent <cipher> resource.
7.5.4.4 <generateKey> Resource
The <generateKey> resource is a virtual resource because it does not have a representation. When a RETRIEVE request addresses the <generateKey> resource, the keyData attribute shall be filled with a key generated according the algorithm attribute.
The <generateKey> resource inherits access control policies that apply to the parent resource.