LLMpediaThe first transparent, open encyclopedia generated by LLMs

OSCORE

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: IETF 6TiSCH Hop 4
Expansion Funnel Raw 74 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted74
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
OSCORE
NameOSCORE
DeveloperIETF
Introduced2017
StatusStandard
TypeSecurity Protocol
WebsiteIETF

OSCORE OSCORE is an application-layer security protocol designed for constrained environments and Internet of Things deployments. It provides end-to-end protection for message confidentiality, integrity, replay protection, and optional sender authentication while operating over constrained message transports and intermediary nodes.

Overview

OSCORE was developed within the Internet Engineering Task Force and specified in the IETF document set, originating from work by contributors associated with Eclipse Foundation, Ecole Polytechnique Fédérale de Lausanne, Ericsson, Siemens, Deutsche Telekom, Cisco Systems, Intel, and ARM Holdings. It targets constrained devices exemplified by platforms such as Arduino, Raspberry Pi, ESP8266, Contiki-NG, and TinyOS. OSCORE integrates with constrained application protocols that include Constrained Application Protocol, and by design complements transport-layer approaches like DTLS and TLS 1.3 when end-to-end semantics are required across intermediaries such as 6LoWPAN routers and CoAP proxies. The design was influenced by prior work on authenticated encryption like AES-GCM, key management approaches in ACE (Authentication and Authorization for Constrained Environments), and messaging formats such as CBOR.

Protocol Specification

The OSCORE specification defines message protection semantics using authenticated encryption with associated data (AEAD) primitives standardized by bodies like the National Institute of Standards and Technology and implementations often rely on algorithms such as AES-GCM-CCM and ChaCha20-Poly1305. The protocol maps application layer messages into protected payloads and protected options while preserving routable identifiers used by intermediaries, enabling operation through entities like NAT devices and IPv6 routers. OSCORE uses a layered structure for Security Contexts derived from inputs provisioned by key distribution mechanisms exemplified by ACE Framework, EST, OAuth 2.0, and public-key methods including ED25519 and X.509 credentials. Message identifiers, sequence numbers, and replay windows are specified to interoperate with link-layer characteristics in standards such as IEEE 802.15.4 and network-layer mechanisms like RPL. The specification prescribes CBOR encoding for auxiliary parameters in accord with RFC 8949 and ties to option encoding concepts seen in RFC 7252.

Security Properties

OSCORE provides end-to-end confidentiality and integrity across intermediaries, resisting passive eavesdropping and active modification attacks comparable to protections offered by IPsec and TLS/DTLS when end-to-end keys are available. Its use of AEAD primitives defends against ciphertext forgery threats analyzed in cryptographic literature by researchers at institutions including MIT, ETH Zurich, University of Cambridge, and Stanford University. Replay protection leverages sequence numbering and sliding windows analogous to techniques in IKEv2 and SRTP. OSCORE can provide sender authentication via pre-shared keys, Raw Public Keys, or asymmetric schemes like ECDSA and ED25519, reducing reliance on intermediary trust models such as those found in SIP proxy deployments. The security model addresses threats cataloged by organizations like OWASP and aligns with privacy considerations discussed in publications from IETF PRIVPROT working groups and ENISA guidance on IoT security.

Implementation and Usage

Implementations of OSCORE appear in open-source stacks and commercial products from vendors including Eclipse Foundation projects (e.g., Californium), libcoap-based libraries, and deployments by industrial automation firms such as Siemens and Schneider Electric. Integrations exist for constrained operating systems like Contiki-NG and embedded frameworks used by ARM Mbed OS and Zephyr Project. OSCORE is used in healthcare telemetry systems by vendors complying with standards from HL7 and IETF-aligned medical IoT profiles, in smart metering projects coordinated with utilities represented at IEEE working groups, and in building automation where integrators reference protocols standardized by BACnet and KNX Association. Commercial cloud platforms including Amazon Web Services, Microsoft Azure, and Google Cloud Platform provide gateways and SDKs that bridge OSCORE-protected devices to backend services. Key management examples include enrollment flows using OAuth 2.0 and dynamic authorization facilitated by ACE profiles implemented by companies such as ARM and OpenSSL contributors.

Performance and Interoperability

OSCORE was engineered to minimize overhead on constrained devices, with compact encodings influenced by CBOR and header compression techniques akin to 6LoWPAN header compression. Performance evaluations reported in academic venues such as IEEE INFOCOM, ACM SenSys, and USENIX Security show trade-offs in CPU cycles and memory when compared against DTLS, with advantages in scenarios requiring hop-by-hop intermediaries like CoAP proxies. Interoperability testing occurs at events organized by IETF plugfests and industry consortiums including OMA SpecWorks and Open Connectivity Foundation, and conformance suites reference test vectors maintained by IETF OPSAWG contributors. OSCORE's design enables interoperability with routing infrastructures including RPL and link layers such as IEEE 802.15.4e while maintaining compatibility with gateway translational mechanisms used by 6TiSCH deployments.

Category:Internet protocols