IETF Logo Mail Archive

[Lake] Computational analysis of EDHOC Sig-Sig - improvement suggestions for transcript hashes

Ilunga Tshibumbu Mukendi Marc <marcilu@student.ethz.ch> Fri, 08 July 2022 09:45 UTC

Return-Path: <marcilu@student.ethz.ch>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E26CC157B59 for <lake@ietfa.amsl.com>; Fri, 8 Jul 2022 02:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvmcfWjL27s8 for <lake@ietfa.amsl.com>; Fri, 8 Jul 2022 02:45:53 -0700 (PDT)
Received: from mailg110.ethz.ch (mailg110.ethz.ch [IPv6:2001:67c:10ec:5605::21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F015EC157903 for <lake@ietf.org>; Fri, 8 Jul 2022 02:45:51 -0700 (PDT)
Received: from mailm210.d.ethz.ch (2001:67c:10ec:5603::24) by mailg110.ethz.ch (2001:67c:10ec:5605::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.9; Fri, 8 Jul 2022 11:45:39 +0200
Received: from mailm115.d.ethz.ch (2001:67c:10ec:5602::27) by mailm210.d.ethz.ch (2001:67c:10ec:5603::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.9; Fri, 8 Jul 2022 11:45:49 +0200
Received: from mailm115.d.ethz.ch ([fe80::a116:d57c:67b5:4c67]) by mailm115.d.ethz.ch ([fe80::a116:d57c:67b5:4c67%3]) with mapi id 15.01.2507.009; Fri, 8 Jul 2022 11:45:48 +0200
From: Ilunga Tshibumbu Mukendi Marc <marcilu@student.ethz.ch>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: Computational analysis of EDHOC Sig-Sig - improvement suggestions for transcript hashes
Thread-Index: AQHYki7Bx0PZeaSgS0aU9IgCcTyOUK10OTqs
Date: Fri, 08 Jul 2022 09:45:48 +0000
Message-ID: <d74e6ee606e543a084a76c37f2ada023@student.ethz.ch>
References: <428673a502dd4ec3980c2201eec3a1e3@student.ethz.ch>
In-Reply-To: <428673a502dd4ec3980c2201eec3a1e3@student.ethz.ch>
Accept-Language: en-GB, de-CH, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.5.38.150]
Content-Type: multipart/alternative; boundary="_000_d74e6ee606e543a084a76c37f2ada023studentethzch_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/BTxPdJl0Z8ylSe1P7i0BFx1T_0o>
Subject: [Lake] Computational analysis of EDHOC Sig-Sig - improvement suggestions for transcript hashes
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 09:45:57 -0000

Dear Mališa, dear all,

Following our last email and in preparation for the IETF 114, we would like to offer a suggestion from our computational analysis of EDHOC. I will first state the suggestion and then give some motivation and justification.

Suggestion: Include the authentication credentials in the transcript hash computation.

Namely, we suggest modifying the transcript hashes TH_3 and TH_4 to include the credential of the peer that authenticate themselves. More precisely, we propose that protocol participants compute:
   > TH_3 = H(TH_2, (PAD_2, G_Y, ID_CRED_R, SIGNATURE_2, EAD_2, C_R, CRED_R)) instead of
   >    TH_3 = H(TH_2, (PAD_2, G_Y, ID_CRED_R, SIGNATURE_2, EAD_2, C_R))

Similarly, we propose that the computation of TH_4 becomes
   >   TH_4 = H(TH_3, (PAD_3, ID_CRED_I, SIGNATURE_3, EAD_3, CRED_I)) instead of
   >   TH_4 = H(TH_3, (PAD_3, ID_CRED_I, SIGNATURE_3, EAD_3))

The philosophy behind this proposal is to make explicit the identity of the peer that authenticated themselves, even if those identities are not sent. (One can think of this as expanding TH to include the actual identity credentials, which the sent ID_CRED values hint to but do not uniquely determine). This is to simplify arguing agreement on the communication peer.


Motivation and justification:

- We analysed EDHOC in the Multi-Stage Key exchange model, following the work [Dow21] of Dowling et al.
- We suggest the change above as an improvement towards ensuring explicit authentication, which we observed when analysing the following excerpt from the draft (draft-14, section 3.5.3):

  "As stated in Section 3.1 of [I-D.ietf-cose-rfc8152bis-struct], applications MUST NOT assume that 'kid' values are unique, and several keys associated with a 'kid' may need to be checked before the correct one is found. Applications might use additional information such as 'kid context' or lower layers to determine which key to try first. Applications should strive to make ID_CRED_x as unique as possible, since the recipient may otherwise have to try several keys."

We modelled the above statement conservatively and considered that any ID_CRED might reference multiple identities and associated credentials. A potential consequence of this modelling is that there may be ambiguity about the identity of the peer who authenticated themselves, which needs careful consideration. For instance, if ID_CRED_R refers to both CRED_R and CRED_R', the initiator that tries multiple public keys could conclude that it is talking to R'. If this occurs, the protocol would still come to completion since the transcript hash won't change.

The standard unforgeability notion of signature schemes would not necessarily prevent such a scenario [1], and our analysis relies on strictly stronger notions. Concretely we require that signature schemes in EDHOC provide explicit ownership. In our model and proof, we had to rely on the relatively strong notion of "Malicious Universal Exclusive Ownership" to capture explicit authentication for EDHOC as currently specified. To the best of our knowledge, M-S-UEO was only studied and proven for Ed25519 as implemented in Libsodium[Bre20]. Therefore, relying on a weaker notion, "Universal Exclusive Ownership", is desirable.

Adding the credentials in the transcript hash would prevent identity mis-binding attacks since divergence in the identity of the authenticated host would lead to diverging transcript hashes and, therefore, different derived keys. Furthermore, we can rely on weaker notions of explicit ownership from a proof standpoint. Fortunately, Ed25519 provides explicit ownership [Bre20], and [Po05] already showed that the inclusion of the credentials along with the message in the signing process, as is done already in EDHOC, provides explicit ownership and prevents ambiguity.  For ECDSA, care must be taken in the implementation so that this construction guarantees exclusive ownership. Overall, we assume that CBOR encoding is unambiguous.

We would very much appreciate your feedback and thoughts on the discussion above, and we are happy to answer any questions you might have.


Kind regards,
Marc Ilunga (and Felix Günther)

[1] The need for a notion strictly stronger than standard EUF-CMA security for signature schemes also arises in the basic SIGMA protocol with the MAC under the signature. One needs that signature scheme is not only unforgeable for a random key but for all keys. Otherwise, an attacker may carry an identity mis-binding attack.
[Dow21] Dowling et al. "A Cryptographic Analysis of the TLS 1.3 Handshake Protocol", https://eprint.iacr.org/2020/1044.pdf
[Po05] Pornin and Stern, "Digital Signatures Do Not Guarantee Exclusive Ownership", https://link.springer.com/chapter/10.1007/11496137_10
[Bre20] Brendel et al. "The Provable Security of Ed25519: Theory and Practice", https://eprint.iacr.org/2020/823.pdf

v2.23.0 | Report a Bug | By Email