IETF Logo Mail Archive

Re: [Lake] Computational EDHOC analysis - Some early comments and questions

Göran Selander <goran.selander@ericsson.com> Thu, 07 April 2022 06:29 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11523A1026 for <lake@ietfa.amsl.com>; Wed, 6 Apr 2022 23:29:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q6qUMRH5Iart for <lake@ietfa.amsl.com>; Wed, 6 Apr 2022 23:29:02 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2085.outbound.protection.outlook.com [40.107.20.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0501F3A101F for <lake@ietf.org>; Wed, 6 Apr 2022 23:29:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PeV8Y5hOgzkF+7BVE4HXvBwjQhwGVhEnbhA0DV6+JCp9GBHcS1nTxWn0/hPa5z3P1jnUkZ3/Ip2wgNlyR1JaXxtIP7HKGrrD+s7c15AgNh1BC2SxJ5lXU8+wTn+x7pwgCycm6TqWyMUqJJQ3nwHUR9IZeKrmwZO3h/b2cgLUBIydpXJIM7BUpbmdOyOP5JdRDlnTqnffa47Bjb3HHONO+tgY4ItRhtaS9WMiYnXeI/irkqbiuq6u59l8FoRGKAG7c1d7vLcMCS5EeDwmvrg+tVlfLhMN/OqGi4JzpvakbIYUMsd5SToIfzwmbjlNI5IJkrdurVmHlSyMEuENeszkGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q5zSmrMXlkt8NIWhPvoHzrI4dKnifnjHm4dYL+tZuoQ=; b=JrteYQQKoWQH1GKJYMl3lU0O+Ly2409Ak74jyVKUkuUzVa59tA0wZA38VGJv7X27tLzhemGDBvlYuTt8r/FF88/UFqM4xhVsxDlCTHYB6dXZMiWmK+leW6o7HVl1ONSwzatBjpDcWbD6D0e/CJwLm1k1mvF147iS2AcWsUfjI78EhTEh+BMrD53I8VHBHUdIPoEFX9rMM1/3fGXGDnBGZXoQ3f1I8YljVPaRyXPBL4GbN234vLdvRDW7gZNV/6HUQZAiuIwjMzFY2cBIxlnUgF7uY7ChPNiC4S3/ym827UUsFaiIyoxLYKmqJbSYct0zOknDe4KcWTwn3H6GzRHNIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q5zSmrMXlkt8NIWhPvoHzrI4dKnifnjHm4dYL+tZuoQ=; b=tA5FHG9wFmHB/ixL195cw7m7NZDkmpaqGTDH4r3K/sR0dnNrWC+QMnTutAH34cdnjpfAd4cmkORyDrVA0LbD1KINWUSDv27BLcUu5N93q9R1mXfRK/6FAvW+q1XmoDIBoQ2LDJ2gh+7D/MOm3FdcTMFsHz72xbQtozsuUfRQSvI=
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com (2603:10a6:200:45::6) by DB6PR07MB4296.eurprd07.prod.outlook.com (2603:10a6:6:49::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.19; Thu, 7 Apr 2022 06:28:57 +0000
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com ([fe80::a063:817:8692:11cd]) by AM4PR0701MB2195.eurprd07.prod.outlook.com ([fe80::a063:817:8692:11cd%4]) with mapi id 15.20.5164.008; Thu, 7 Apr 2022 06:28:57 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Ilunga Tshibumbu Mukendi Marc <marcilu@student.ethz.ch>, "mail@felixguenther.info" <mail@felixguenther.info>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Computational EDHOC analysis - Some early comments and questions
Thread-Index: AQHYSkjCLOGd6Ct0REq4ZHNkI4/N9Q==
Date: Thu, 07 Apr 2022 06:28:56 +0000
Message-ID: <79A1AB7C-0E34-4E97-8802-372D58ADBE7A@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.59.22031300
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 62a1f2bf-9cb8-4948-16be-08da185fe513
x-ms-traffictypediagnostic: DB6PR07MB4296:EE_
x-microsoft-antispam-prvs: <DB6PR07MB4296EE0BA717C4FC153B6823F4E69@DB6PR07MB4296.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /v55rOoUKth6bfRREAvFafKWDhiWVVeUQmsB/oWdSGFxY/4tX4ZJAquxAnZtu8oUCo7uzUOv1JlOEBvZQaDP24aPN6m4dC8kb0AfebmjWJ0M0r2PkVslSjPMQvscjwD6uma1I4wcqKkOAaJF697ZXIzxda10HI30YFlNQy4oW0K1oWfIZ9nFwGTtbTAmDBze9pmYst7NrkmEVvT5DXM3NnD277jCBW5RsBpSg/l4cEmHz+8zdTmPdcsAree/npu6VwFZlvCH+zwwesgJJsMgfGSmUnPUORvfjLQWh0Oaz9ndGe1jr/+eVeLcz6FyIIAO9a/tJK6KL9HVAxi+L07Sw9xGR9+lkB7turY7+JHptkyM7FryqJ0hjpAbfjhSW6yL5XMq3S3SHXWa/SjhcbhSTPAHhoQP4fSTa2YbWqLbKYottYns9/5+qECkRWdNC48XSmgyRhJ+9hkzh49nzAMFMo+0iweQbFLQ3qLUtcoQ0NIbIvw48RjhZzsGyc8aFjbKiDgnRKj/9m6o1KMQ0GKsUk0qTOn7hJz9OGkp7oOc0gxGLubrYl6YkEW6J7l0339PwJmxc6MXtgrl85ot4Ba8gpdxVrNFzUowJKiWjtezO5JPNflfewAU+7Klw816RFpyhEOORpPvRt4/pAGPJdOU5CIVcz8eQsuK0bpxOCJMBxqDKFz5u2ViGf/vunP+Kbgh/NC4HWxLJQfFpzv/YH3HrAIGBm4Wam3FJAJ6iGPYB1BBjwRLGBJsQz4lMdxl4qx/vAaLWO8POAmxBtDbcPUzjFmY6trjo5YHCLsMvEaRoEANQX164kN9Bwhx9VH4rJN0Rtl1RLlZtY4BG+Dr3ibVDZicHEB0WvwVCiOPKw8MQG0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM4PR0701MB2195.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(33656002)(38100700002)(86362001)(91956017)(66476007)(66446008)(6512007)(76116006)(6486002)(85202003)(5660300002)(8936002)(66556008)(64756008)(85182001)(66946007)(2906002)(508600001)(186003)(36756003)(26005)(966005)(66574015)(6506007)(166002)(83380400001)(38070700005)(53546011)(82960400001)(71200400001)(8676002)(110136005)(122000001)(316002)(2616005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XVohMaVEG2c65w+WcQ8nnOa2T1/dEzxNudbzzi1rIbXoqr2GARaKAKLCl69gVDX1LM7iLxZMuMZHnTkrypwhwegiEwtTCoowb/XrjfJvyW7hYzKeYhTlGK1SpSoKk/S14tsuEGQJOqqg0ofbHv7NyLuRX86V/e5lWctZyOlP12VYPkC3JLL11IP+G/H2Y4YuyIUGLh0M3rWag6Fw88ExjYUDM3OB+B3X5oyCGyMhjLhIxcnHWGf+vlp5cMB6T4Ha7LcPji6P+QIkGbC6+wI4ILKEsWAP4UuTXTooc5DQVt3Bi1mIfNuh3cFszydxgSBHKq+6l6KOoAkPfUtm0WLnJApKeVBzZpIJWI+nmOVcYoWCGy3IAfNn1nnlvdPA87v9CZs55/i1GGHC4gK/HO+usu2/5vOGucZsyaoaXoBK9d2vndXfspihnvPqVGWlkESItDgOzBm0/l3MCz9+YVssitsX/G0/sjZz3ybEd/exDG8zjW9NAAzhPNDXAQSeDsInKPlvldKFt6A+ataa9HSfhVzvdMtFVpsz3KJtQwXCFi1mOjIIKg+cqON6Udy9sOPL5NH54uG9oVYibHALXIc5VT3ZZyjvK0dlAFJZZqBRQ6xPSYA7pX3bbeHWeP4LTeD0BhmR/nqg9OCLnWyYN/a1X0406tNu4HTvS2BVywN1+flfVjp2kF08lt2S69xOb3+O9cLI/aFeDaR+b8KYtvr9W13uSwCVRIAqZWXLMgkJzZdNvQUB5cPLnz8UkFMPH/kFIQ2CZByALA09Q217qVT8iu37smpP1FeIEXEfLv3CQ/fFx8RdCABUgwLN+oIJ9SJ/dCur5DtsmU7wiy/7lo8UMWgZU/Nsg/mMbKlR5lPb8PQ93iB+4l1za+BjO30yU4qkm71PZDeCR0Rk/KhQgEAE38p/q82PA4QlJBunS4Z5rxE0e2QhqmCiIo3JxiR0VCVJvXgHNMjsNG2Jil9EJcrfltfvWp93oHy5/TSquIs+cboomyGNgiLj4AZlzEO1MK+d92qvMriHbB81FkV43EpTvVwWjP3ZvRLfBLd4lZleibIHsAcObUlIiP6Rq75qMAJUfG3HfXUtzvx10BCIOukL3sB6mZLK2ztHEztV4zNCtM+nCHEGm7CoS4ey6yiY6NAwAQXK9L7FWioJMqziWzxdM6NbSnNgCTupQBCcnVzPpzxBB9KAi9b6aVaDUXDd+CGr61qVdz7ycf2sSLnoXuwMPJ4pcRbzMFnm6/R2CVy8DDf4RptGf/bsA63FjR3LcFDLdBilpl5QkBt2JmG0kJI5XloTk1BzDWmGllQSbclNZO1AGPiFeKygcLlRsslq+5wC3JjhdiFHx5bSb9e81RPerk2y8O2Iuqh+q7IWkl7BX0H7SHelp/JkI/LJE6h6QsRL6SAhGCjTqO5LVyS+FqFPYMPxqiMJVFJzaOLMfhLuHWBhoYPADBU0F4+NuuvOt7uvBh5WUYa7S7fcYcAbPkm/9m1BDxNjM9I2lh1Kq7TFlxwmHIPxam8HuUETo48RkVofdkqbiaWgPh7JureYPTKIpLJY3ihWz0kT8ETf3R1u4jYpN7eFqplOAveMFGYUiEmbrka3KZuHQ+VDt/psen5Tiw+4TJG/PgNIWN8yWztJrSslKxfsCgUAnIi4IvFFD1jA9dOUlqNF4e7HAjfl4LAQwYirY3ehGE/sNX80Uf9keBZAnBSiI2LIgSNl9t6hf05iUNjnYubdvoG/zE9ZLyW+z6aLBxa2GqDHeBr97xmPq3GFpJra4dcvUFurVGiOCVj2
Content-Type: multipart/alternative; boundary="_000_79A1AB7C0E344E978802372D58ADBE7Aericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM4PR0701MB2195.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 62a1f2bf-9cb8-4948-16be-08da185fe513
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2022 06:28:56.6477 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Fw2NHPZO30ZRWQKkAYUXZuvfybZbSrGa3ZKJFphX9PHIyUGKj5PwedcXuibVXs2cHIQ4GAg2UzR5+BDdQcVOxxVuzvk9u2m8wGvXQynExMs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR07MB4296
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/Cts1imqf6svvviTNDHig-4slnLM>
Subject: Re: [Lake] Computational EDHOC analysis - Some early comments and questions
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2022 06:29:08 -0000

Hi Marc and Felix,

Thanks very much for the early feedback from your analysis! We hope to get back with a response next week.

Just a brief note regarding your main point 2 below: Since the main use of EDHOC is to establish keys for an application protocol there is currently no "final" session key defined. For several reasons, including your comments, we consider to follow the proposal in #269<https://github.com/lake-wg/edhoc/issues/269>.

Thanks,
Göran



From: Lake <lake-bounces@ietf.org> on behalf of Ilunga Tshibumbu Mukendi Marc <marcilu@student.ethz.ch>
Date: Thursday, 31 March 2022 at 15:18
To: "lake@ietf.org" <lake@ietf.org>
Cc: "mail@felixguenther.info" <mail@felixguenther.info>
Subject: [Lake] Computational EDHOC analysis - Some early comments and questions

Dear LAKE WG,

We are a team from ETH Zurich working on a computational analysis of EDHOC as a key exchange protocol. We are currently at an early stage of our work, but hope to have some preliminary analysis results in the next two months or so.
At this point, we're reaching out mainly to communicate a few early comments / questions based on our investigations so far. We hope this can clarify potential misunderstandings on our side before we dive deeper into our analysis.


Main points:

 1. Transcript Hashes:
 In Section 5.4.2, the draft states that TH_3 takes the ciphertext (of message 2) as input instead of the underlying plaintext; TH_4 works similarly. Is there a particular reason for including the ciphertext and not the plaintext (as done, e.g., in TLS 1.3)?
 (From an analysis perspective, hashing the ciphertext might introduce dependencies on the encryption method.)

 2. Session Key:
 It is unclear to us what is considered the "final" session key in EDHOC. PRK_4x3m seems to be the "final" key derived in the main document. As PRK_4x3m is however also used for deriving the encryption keys, MAC keys, OSCORE security context, exported material, etc., it is not an "independent and random-looking" key anymore by the time EDHOC completes, which would be the computational security guarantee one would ask for in a key exchange.

 3. Key Reuse in KDF:
 The key schedule uses PRK_2e, PRK_3e2m, and PRK-4x3m as inputs in both Extract and Expand (depending on the authentication mode). Such reuse of key material across is generally not secure. Concretely, in HMAC/KMAC-based derivation, one would need to carefully ensure domain separation between such calls. We point out that TLS 1.3, for specifically that reason, uses derived secrets (RFC 8446, Section 7.1: keys with label "derived") to separate Extract and Expand calls (cf. [1]).


Secondary points:

 4. KDF Usage in KeyUpdate:
    1) The method takes a nonce to prevent "short cycles". What exactly is meant by that or the formal reasoning behind this?
    2) Since Extract is used here as a PRF, the key (PRK_4x3m) should be the first input, and nonce the second.   (In that context, even a constant nonce would be fine; hence the question in 1).)
    3) To prevent key reuse across primitives, KeyUpdate should use Expand, not Extract. (see 3.)

 5. Key Updates for OSCORE:
 As currently specified, it seems key updates will not influence the OSCORE security context (or other applications), as it seems such keys are not updated/re-derived. Is that intended?

 6. Connection Identifiers:
 The draft states that CIDs have no cryptographic purpose (Section 3.3), but at the same time that they may be used to identify keys (Section 2), which sounds like a cryptographic purpose. What are we misunderstanding?

 7. MAC Length:
 On page 30, MAC lengths seem to be depending on the authentication mode (besides the ciphersuite). What is the reason behind changing MAC length based on the mode?

 8. XOR Encryption for Message 2:
 Why is message 2 encrypted via a one-time pad instead of using the AEAD scheme? While an attacker can of course impersonate the server at this point, an AEAD scheme still protects against manipulations by a so-far passive person-in-the-middle.

 9. Usage of EADs:
 The security guarantees for EADs are not explicit. They are considered unprotected; however, they are also passed to security applications. Moreover, the draft states, "the content in an EAD field may impact the security properties provided by EDHOC." What security guarantees can be affected by the EADs?


We hope these initial comments are helpful and look forward to some clarifications of the questions we have.

Kind regards,
Felix Günther and Marc Ilunga


[1] https://github.com/tlswg/tls13-spec/pull/875<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-52dd5274465d8d15&q=1&e=b37505b6-16f4-440f-808b-f9927ad4ffcf&u=https%3A%2F%2Fgithub.com%2Ftlswg%2Ftls13-spec%2Fpull%2F875>

v2.23.0 | Report a Bug | By Email