CryptoDB
Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | EDHOC is a lightweight authenticated key exchange protocol for IoT communication, currently being standardized by the IETF. Its design is a trimmed-down version of similar protocols like TLS 1.3, building on the SIGn-then-MAc (SIGMA) rationale. In its trimming, however, EDHOC notably deviates from the SIGMA design by sending only short, non-unique credential identifiers, and letting recipients perform trial verification to determine the correct communication partner. Done naively, this can lead to identity misbinding attacks when an attacker can control some of the user keys, invalidating the original SIGMA security analysis and contesting the security of EDHOC. In this talk we present a computational analysis capturing the potential attack vectors introduced by non-unique credential identifiers. We show that EDHOC, in its latest draft version 17, indeed achieves the intended key exchange security with user authentication even in a strong model where the adversary can register malicious keys with colliding identifiers, given that the employed signature scheme provides so-called exclusive ownership. Through our security result, we confirm cryptographic improvements integrated by the IETF working group in recent draft versions of EDHOC based on recommendations from our and others' analysis. We will comment on these fruitful interactions with the IETF LAKE working group in the talk, as an encouraging example of how proactive security analyses accompanying standardization efforts benefit real-world cryptography. |
| Video: | https://youtu.be/WEjgFMuwIAc?t=3570 |
BibTeX
@misc{rwc-2023-35444,
title={Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol},
note={Video at \url{https://youtu.be/WEjgFMuwIAc?t=3570}},
howpublished={Talk given at RWC 2023},
author={Felix Günther and Marc Ilunga Tshibumbu Mukendi},
year=2023
}