ETSI TS 102 921 V1.3.1 (2014-09)

ETSI TS 102 921 V1.3.1 (2014-09)






TECHNICAL SPECIFICATION
Machine-to-Machine communications (M2M);
mIa, dIa and mId interfaces

�

---------------------- Page: 1 ----------------------
2 ETSI TS 102 921 V1.3.1 (2014-09)



Reference
RTS/M2M-00010ed131
Keywords
interface, M2M, protocol, service
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2014.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TS 102 921 V1.3.1 (2014-09)
Contents
Intellectual Property Rights . 22
Foreword . 22
Modal verbs terminology . 22
1 Scope . 23
2 References . 23
2.1 Normative references . 23
2.2 Informative references . 26
3 Definitions, symbols, abbreviations and conventions . 27
3.1 Definitions . 27
3.2 Symbols . 27
3.3 Abbreviations . 27
3.4 Conventions . 27
4 Overview . 27
5 General security aspects . 28
5.1 Key provisioning and hierarchy derivation . 28
5.1.1 Kmr provisioning . 28
5.1.1.1 Kmr provisioning independent of access network credentials . 28
5.1.1.2 Kmr provisioning based on access network credentials . 28
5.1.1.3 Kmr refresh and invalidation. 28
5.1.2 Kmc derivation . 29
5.1.2.1 Kmc derivation in the case of EAP based mutual authentication and key agreement . 29
5.1.2.2 Kmc derivation in the case of GBA based mutual authentication and key agreement . 29
5.1.2.3 Kmc derivation in the case of TLS based mutual authentication and key agreement . 29
5.1.2.4 Kmc refresh and invalidation . 29
5.2 Security Assumptions . 29
6 M2M Service Bootstrapping . 30
6.1 General Principles . 30
6.2 Access Network Assisted M2M Service Bootstrap Procedure . 30
6.2.1 GBA-based M2M Service Bootstrap Procedure . 30
6.2.1.1 Optional use of GBA_U with Ks_int_NAF . 30
6.2.1.2 HTTP Digest Authentication and bootstrap parameter delivery . 31
6.2.1.3 M2M Root Key (Kmr) derivation . 31
6.2.2 EAP-based bootstrapping procedure using SIM/AKA Access Network Credentials . 32
6.2.3 Bootstrapping from EAP-based access network layer . 33
6.3 Bootstrapping using other methods . 34
6.3.1 Bootstrapping methods using EAP over PANA . 34
6.3.1.1 Generic procedure . 34
6.3.1.1.1 Bootstrapping . 34
6.3.1.1.2 Bootstrap-Erase . 38
6.3.1.2 EAP/PANA - IBAKE bootstrapping operations . 42
6.3.1.2.1 Provisioning of IBE specific parameters . 43
6.3.1.2.2 Secure IBAKE protocol . 44
6.3.1.3 EAP-TLS over PANA . 45
6.3.2 M2M Service Bootstrap Procedure using TLS over TCP . 45
6.3.2.1 Recap of M2M Service Bootstrap Procedure using TLS over TCP . 45
6.3.2.2 Pre-Provisioning for M2M Service Bootstrap Procedure using TLS over TCP . 46
6.3.2.3 Mutual Authentication for M2M Service Bootstrap Procedure using TLS over TCP . 46
6.3.2.4 Parameter Delivery to D/G M2M Node for M2M Service Bootstrap Procedure using TLS over
TCP . 46
6.3.3 Specifications for TLS/Certificate-Based M2M Service Bootstrap Procedures . 46
6.3.3.1 Introduction . 46
6.3.3.2 TLS Details for TLS/Certificate-Based M2M Service Bootstrap Procedures . 47
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TS 102 921 V1.3.1 (2014-09)
6.3.3.3 Certificate Considerations . 47
6.3.3.3.1 M2M Device/Gateway Certificate Considerations . 47
6.3.3.3.2 MSBF Certificate Considerations . 48
6.4 M2M Service Bootstrap Parameter Delivery Procedure For Procedures using HTTP . 49
6.4.1 Overview . 49
6.4.2 bootstrapParamSet Resource . 50
6.4.2.1 bootstrapParamSet Resource URI . 50
6.4.2.2 bootstrapParamSet Resource Attributes . 50
6.4.3 M2M Service Bootstrap Parameter Delivery Procedure Primitives . 50
6.4.3.1 bootstrapParamSetExecuteRequestIndication . 50
6.4.3.2 bootstrapParamSetExecuteResponseConfirm (successful case) . 51
6.4.3.3 bootstrapParamSetExecuteResponseConfirm (unsuccessful case) . 51
6.4.4 MSBF Filtering of Received bootstrapParamSetExecuteRequestIndication Primitives . 51
6.4.5 M2M Service Bootstrap Parameter Delivery Procedure Sequence of Events . 52
7 M2M Service Connection Procedures . 54
7.1 General principles. 54
7.2 M2M Service Connection Procedures leveraging access network credentials . 55
7.2.1 M2M Service Connection Procedure based on GBA . 55
7.2.1.1 TLS-PSK with GBA bootstrapped security association . 55
7.2.1.1.1 M2M Connection Key (Kmc) derivation . 56
7.2.2 M2M Service Connection Procedure Based On EAP/PANA with Access Network Credentials . 57
7.3 M2M Service Connection Procedures using EAP/PANA . 57
7.3.1 M2M Service Connection Setup Procedure using EAP/PANA . 57
7.3.2 M2M Service Connection Tear-down Procedure using EAP/PANA . 60
7.4 M2M Service Connection Procedure based on TLS-PSK . 60
7.4.1 Introduction. 60
7.4.2 TLS Details for M2M Service Connection Procedure Based On TLS-PSK . 60
7.4.3 Sequence of events for M2M Service Connection Procedure based on TLS-PSK . 61
7.4.4 Parameter Delivery to D/G M2M Node for M2M Service Connection Procedure based on TLS-PSK . 61
7.4.5 M2M Service Connection Parameter Delivery Procedure For TLS-PSK-Based Procedures . 62
7.4.5.1 Overview . 62
7.4.5.2 connectionParamSet Resource . 62
7.4.5.2.1 connectionParamSet Resource URI . 62
7.4.5.2.2 connectionParamSet Resource Attrib utes . 62
7.4.5.3 M2M Service Connection Parameter Delivery Procedure Primitives . 63
7.4.5.3.1 connectionParamSetE xecute RequestIndicatio n . 63
7.4.5.3.2 connectionParamSetExecuteResponseConfirm (successful case) . 63
7.4.5.3.3 connectionParamSetExecuteResponseConfirm (unsuccessful case) . 64
7.4.5.4 M2M Service Connection Parameter Delivery Procedure Pre-Conditions . 64
7.4.5.5 MAS Filtering of Received connectionParamSetExecuteRequestIndication Primitives . 64
7.4.5.6 M2M Service Connection Parameter Delivery Sequence of Events . 64
7.5 IVal security attributes in connection establishment . 68
8 M2M Secure Communication over mId . 68
8.1 Access Network Based Security . 68
8.2 Channel Security . 68
8.2.1 Supported Channel Security Methods . 68
8.2.1.1 Negotiation to use a Channel Security Method . 69
8.2.1.2 Supported TLS/DTLS Versions and TLS Cipher Suites for Channel Security Methods . 69
8.2.1.3 Details of the DTLS/TLS Handshake . 69
8.2.1.3.1 Applicability to DTLS and TLS . 69
8.2.1.3.2 TLS ClientHello.server_name Field Details For Channel Security Methods . 70
8.2.1.3.3 TLS ServerKeyExchange.psk_identity_hint Field Details For Channel Security Methods . 70
8.2.1.3.4 TLS ClientKeyExchange.psk_identity and PSK Derivation for Channel Security Methods . 70
8.3 Object Security . 71
8.3.1 Securing CoAP-based mId . 71
8.3.2 Securing XML-based mId . 71
9 Resources . 71
10 SCL Primitives . 72
10.1 Introduction . 72
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TS 102 921 V1.3.1 (2014-09)
10.2 General aspects . 72
10.2.1 SCL primitives . 72
10.2.2 Asynchronous and semi-asynchronous processing . 73
10.3 Common operations . 73
10.3.1 Issuer actions . 73
10.3.1.1 Compose RequestIndication primitive . 73
10.3.1.2 Send a RequestIndication to the Receiver SCL . 74
10.3.1.2.1 Determination of the Receiver SCL . 74
10.3.1.2.2 Selection of communication channel . 74
10.3.1.3 Wait for ResponseConfirm primitive . 80
10.3.2 Hosting SCL actions . 81
10.3.2.1 Check existence of the addressed resource . 81
10.3.2.2 Check the syntax of received message . 81
10.3.2.3 Check validity of resource representation for CREATE . 81
10.3.2.4 Check validity of resource representation for UPDATE . 81
10.3.2.5 Check authorization of the requestingEntity based on accessRightID . 82
10.3.2.6 Check authorization of the requestingEntity based on selfPermission . 83
10.3.2.7 Check authorization of the requestingEntity based on default access rights . 84
10.3.2.8 Announce resource . 84
10.3.2.8.1 Update of announce on request of application. 85
10.3.2.8.2 Update of announce on request of local SCL . 86
10.3.2.8.3 Create announced Resource . 87
10.3.2.8.4 Retrieve announced Resource . 87
10.3.2.8.5 Update announced Resource . 88
10.3.2.8.6 Delete announced Resource . 88
10.3.2.9 DeAnnounce resource . 88
10.3.2.10 Create the resource . 89
10.3.2.11 Create a collection resource representation . 90
10.3.2.12 Create a successful ResponseConfirm . 90
10.3.2.13 Create an unsuccessful ResponseConfirm . 90
10.3.2.14 Read the addressed resource . 90
10.3.2.15 Update the addressed resource . 90
10.3.2.16 Delete the addressed resource . 91
10.3.2.17 Send ResponseConfirm primitive . 91
10.3.2.18 Identify the managed remote entity and the management protocol . 91
10.3.2.19 Locate the MO information to be managed on the remote entity . 91
10.3.2.20 Establish a management session with the remote entity. 92
10.3.2.21 Send the management request(s) to the remote entity corresponding to the received
RequestIndication primitive . 92
10.3.2.22 Identify the managed remote entity and the management protocol . 93
10.3.2.23 SCL retargeting to an application . 95
10.3.3 Receiver SCL actions. 97
10.3.3.1 Re-targeting . 97
10.4 resource and management procedures . 98
10.4.1 resource . 98
10.4.2 sclBaseCreate . 98
10.4.3 sclBaseRetrieve . 99
10.4.3.1 sclBaseRetrieveRequestIndication . 99
10.4.3.2 sclBaseRetrieveResponseConfirm (successful case) . 100
10.4.3.3 sclBaseRetrieveResponseConfirm (unsuccessful case). 100
10.4.4 sclBaseUpdate . 100
10.4.4.1 sclBaseUpdateRequestIndication . 100
10.4.4.2 sclBaseUpdateResponseConfirm (successful case) . 101
10.4.4.3 sclBaseUpdateResponseConfirm (unsuccessful case) . 101
10.4.5 sclBaseDelete . 101
10.5 scls resource and management procedures . 102
10.5.1 scls resource . 102
10.5.2 sclsCreate . 102
10.5.3 sclsRetrieve . 102
10.5.3.1 sclsRetrieveRequestIndication . 102
10.5.3.2 sclsRetrieveResponseConfirm (successful case) . 103
10.5.3.3 sclsRetrieveResponseConfirm (unsuccessful case) . 103
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TS 102 921 V1.3.1 (2014-09)
10.5.4 sclsUpdate . 104
10.5.4.1 sclsUpdateRequestIndication . 104
10.5.4.2 sclsUpdateResponseConfirm (successful case) . 105
10.5.4.3 sclsUpdateResponseConfirm (unsuccessful case) . 105
10.5.5 sclsDelete . 105
10.6 resource and management procedures . 106
10.6.1 resource . 106
10.6.2 sclCreate . 108
10.6.2.1 sclCreateRequestIndication . 108
10.6.2.2 sclCreateReponseConfirm(successful case) . 111
10.6.2.3 sclCreateReponseConfirm(unsuccessful case) . 111
10.6.3 sclRetrieve . 111
10.6.3.1 sclRetrieveRequestIndication . 111
10.6.3.2 sclRetrieveResponseConfirm (successful case) .
...