Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol

Abstract

EDHOC is a lightweight authenticated key exchange protocol for IoT communication, currently being standardized by the IETF. Its design is a trimmed-down version of similar protocols like TLS 1.3, building on the SIGn-then-MAc (SIGMA) rationale. In its trimming, however, EDHOC notably deviates from the SIGMA design by sending only short, non-unique credential identifiers, and letting recipients perform trial verification to determine the correct communication partner. Done naively, this can lead to identity misbinding attacks when an attacker can control some of the user keys, invalidating the original SIGMA security analysis and contesting the security of EDHOC. In this work, we formalize a multi-stage key exchange security model capturing the potential attack vectors introduced by non-unique credential identifiers. We show that EDHOC, in its draft version 17, indeed achieves session key security and user authentication even in a strong model where the adversary can register malicious keys with colliding identifiers, given that the employed signature scheme provides so-called exclusive ownership. Through our security result, we confirm cryptographic improvements integrated by the IETF working group in recent draft versions of EDHOC based on recommendations from our and others' analysis.

Available format(s)
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
EDHOC key exchange SIGMA exclusive ownership identity misbinding
Contact author(s)
mail @ felixguenther info
marc ilunga @ trailofbits com
History
2022-12-10: approved
See all versions
Short URL
https://ia.cr/2022/1705

CC BY

BibTeX

@misc{cryptoeprint:2022/1705,
author = {Felix Günther and Marc Ilunga Tshibumbu Mukendi},
title = {Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol},
howpublished = {Cryptology ePrint Archive, Paper 2022/1705},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/1705}},
url = {https://eprint.iacr.org/2022/1705}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.