Paper 2022/1705
Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol
Abstract
EDHOC is a lightweight authenticated key exchange protocol for IoT communication, currently being standardized by the IETF. Its design is a trimmed-down version of similar protocols like TLS 1.3, building on the SIGn-then-MAc (SIGMA) rationale. In its trimming, however, EDHOC notably deviates from the SIGMA design by sending only short, non-unique credential identifiers, and letting recipients perform trial verification to determine the correct communication partner. Done naively, this can lead to identity misbinding attacks when an attacker can control some of the user keys, invalidating the original SIGMA security analysis and contesting the security of EDHOC. In this work, we formalize a multi-stage key exchange security model capturing the potential attack vectors introduced by non-unique credential identifiers. We show that EDHOC, in its draft version 17, indeed achieves session key security and user authentication even in a strong model where the adversary can register malicious keys with colliding identifiers, given that the employed signature scheme provides so-called exclusive ownership. Through our security result, we confirm cryptographic improvements integrated by the IETF working group in recent draft versions of EDHOC based on recommendations from our and others' analysis.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Preprint.
- Keywords
- EDHOC key exchange SIGMA exclusive ownership identity misbinding
- Contact author(s)
-
mail @ felixguenther info
marc ilunga @ trailofbits com - History
- 2022-12-10: approved
- 2022-12-09: received
- See all versions
- Short URL
- https://ia.cr/2022/1705
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1705, author = {Felix Günther and Marc Ilunga Tshibumbu Mukendi}, title = {Careful with {MAc}-then-{SIGn}: A Computational Analysis of the {EDHOC} Lightweight Authenticated Key Exchange Protocol}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/1705}, year = {2022}, url = {https://eprint.iacr.org/2022/1705} }