IETF Logo Mail Archive

[Lake] LAKE-EDHOC-PSK Potential Issue

FRANCISCO LOPEZ GOMEZ <francisco.lopezg@um.es> Tue, 18 February 2025 14:09 UTC

Return-Path: <francisco.lopezg@um.es>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 241B2C1D3DCA for <lake@ietfa.amsl.com>; Tue, 18 Feb 2025 06:09:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEUpbPV3mq4E for <lake@ietfa.amsl.com>; Tue, 18 Feb 2025 06:09:12 -0800 (PST)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2091.outbound.protection.outlook.com [40.107.247.91]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06491C14F70D for <lake@ietf.org>; Tue, 18 Feb 2025 06:09:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZZZ8MhHd8oJCFB11xxJ1h8nQYWfnGaI7jWsYR/gCwQ1XR3HsDJNxCQRoOK0gx/xSUnEZTTpMnZ4oHVFDFkPXvSU6c3PXzWcbVD4AXoOdoqPat0lTKZW+bWHgi0C4kuNAwAXGzQCoS2zeRvF0cPgRm4QK62lg3XvNz1oA7ueuLDBtOyCB5BGyc1hn1RGHMkKZ0zrZfObIGtJMUBMdFShjSUmizuIb/DUehs8B4CNKEQ33z4JEO9O50jvzEOP5naLCYgdOyNMMpzPgN3Wee6S2IjXL5QaXCHh7bwlqiFrwRNrrQ9Z7bssqt1JlsorMh97EpxmolXm5Mw4xPks++K4g+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kzxIMJ02iXkwW+VPrKmvy0jmO0LO/PjCOwAywpjXywA=; b=LRqwBiewOA/QkC3HVxEk+FrmT+jcrrMXaf8JEvKt5rt0W8ttWapjggONeqcU7BAb3zz0SEhvvICqUHjP0/Kxt1yexXTGHshJHW56vNRqfNkuADZTJoZA2rIliJSHcNpp00O2+nFzUNVVNpvpXq3xIPIeppi2rBT+Vt+L95D3hUkgCa8p0Kg8zVOm8PoZsB/WgJuec5EhrWN5PvAtnJjWd7aIEynaq5VTMUe10RTp6K+6gkl7REXtx9QWZZeTh9N+Q67Hm8EOSvxP8NdYiWYB6rc1pSAJi5tXs65Gw5mnQ+JvOZwOm6ixewvBZbAhkKSCOoqHrgjwjz0fYGQD3ZME9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=um.es; dmarc=pass action=none header.from=um.es; dkim=pass header.d=um.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=um.es; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kzxIMJ02iXkwW+VPrKmvy0jmO0LO/PjCOwAywpjXywA=; b=Y/RYPfLMYfqwgCyl0liHWEM5+II1lJJxWh1jUfQHWoyN76ttVOdN86D9sZyoSAtVPF9MIn0XoxaAfchLKY1J14PtckEvdIguK+xiRrwirqMGCTbtksduiFeLiIZEEN/vIWYrUB+SLbCr1HCvdZrXTq1zST2qwHMaAGkRSwBjTtreb6Ljl/jgA9jJ8H3Cb5OENfd0Uud9is+sepaHaRW2O+FynPty3iaN2XX5kyz9TsoFtEoUYnk2nrC5V71/y2Gf1rEEqkFtq3z3mDpBl8Kjj6NiApgy9tA69Q15GZD4FyTgTu04RxxJE6DB/sK5pEcpqRFcbC0B3IXuaybWb6msDQ==
Received: from VI1PR08MB5309.eurprd08.prod.outlook.com (2603:10a6:803:133::18) by PAWPR08MB9032.eurprd08.prod.outlook.com (2603:10a6:102:335::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8445.19; Tue, 18 Feb 2025 14:09:08 +0000
Received: from VI1PR08MB5309.eurprd08.prod.outlook.com ([fe80::72f1:d423:4d2:899b]) by VI1PR08MB5309.eurprd08.prod.outlook.com ([fe80::72f1:d423:4d2:899b%4]) with mapi id 15.20.8445.017; Tue, 18 Feb 2025 14:09:08 +0000
From: FRANCISCO LOPEZ GOMEZ <francisco.lopezg@um.es>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: LAKE-EDHOC-PSK Potential Issue
Thread-Index: AQHbgg4IC+mAJpbFjUKQBezFVt6j/Q==
Date: Tue, 18 Feb 2025 14:09:08 +0000
Message-ID: <VI1PR08MB5309FF38C971B67FDAD9D1E691FA2@VI1PR08MB5309.eurprd08.prod.outlook.com>
Accept-Language: es-ES, en-US
Content-Language: es-ES
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=um.es;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: VI1PR08MB5309:EE_|PAWPR08MB9032:EE_
x-ms-office365-filtering-correlation-id: 29c9b068-299f-4e1a-84ed-08dd5025cf81
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018|8096899003;
x-microsoft-antispam-message-info: /RCW7Gz5Z85ojI72l/ynZ6pgf7bz2RsixYht9xpKM90ZIlvWmF/DBQbbnIIW4IvA1I7Uf005PQtco4TWVOhjIeC6vi1lNRvaSLf7GogQiBvTPZYdn/unCdXw4LPdnBCDVcGXnI4GXYruyOk8M8l27wpIFzsaC5rq4AvTnOGH+rBd/LkiRrAIbC4cbeR9ngotqVQjRQfCZmeEAPKkbobIYvNG2ovJvQw7Da97+3idmlEYlguZe2CAs0pKkp/NPbLqHNAswCppUBxdZOAtvHTchcYDT3Vi0sADjrjEqD3RzqGvd0T5/QDkp0AUTnDblhxZJIyItGds/TyYni9mNXDqVhBV1eROJYxvYWuHdpcAepoqBHyL/KMDjsYSpVXJVg9AQUMPP/dWBOF6UBYPiaE592JMWF5fAwxUhx7Me4Lahr4FPAow8ADRoUG+mMAd84e66u1C1KaASv8PIM674Z+ttJ2KBTjlA2xlPPu1JZrl2QGfqEH9Cx8FTge6+UqPhvfO1pJ5hBYRqpMVOK6J9SKOoqKOZFea+xHpr+wq8CvFlw6Qu+BTMJg3hKGDJXRQIwx/3WOgsZ+S+HO4QsHNbi0d9+HX7mTcTeGjOEr7y9sLiSFlDDq3gMq+iGpsn2RU92B0i7GWfvKptILOTschzD2ej98PGyIbCYD6LPgnIqxxZAfb7ek/3nQrVhELOcFxm8HwWKTJFnEnG9rS5iwzgeu3Yv18oVjbJkvCzQVCGLwX3Y+sxElXoG8wpPgvTVlWivDVkoETtslh8UWgd24GWPVQkzNwpkOmTtPwqj1hcXZi9IUpftJJc9FFcyvGOmGLVo0NGkkwtOkXjVO2ZVCi0b8tEIqi0MdVr6qo5sCDl7e6qrRDkgeYfJO5uLWoFvfQpWaE4afP56QPfLAmr7605pui1I3pBJ7yCFFuZfgv4x3hRbZXBLr/v0s56WSjyEW8nTC5AEa5gEkUzFwKMkWF0UbLiNICoL+rw16evIaMyzSSGllkiIuXZWYZDHDXKFO409WCBbhCd3tFnhGKPQUIoVZnaVpSkyoJIBVNDNoNYsyphQ3fy0ABDWM145kltgpiyXRSD/egpAlCm7c33q/HCE9VuJEBdhT/fluJ6etxLNK6gNRs0yGDZ1oCuDyGqqv79CEDfTPjG8NedXuf9GYksG0Zclj0nY3DROcheWpDSXMwQPHWZ9szGVkpY9hXXlcqtqL4/j3VK5sX9MjU90JWuUghcj5OYGZvGFGZZn3L936xN7UIe9Te3KQTupUi+z+VrKJMwp8oqokk/sXn5esRj1SWMNz+OL8purfEwtWp2moDzYmOztoaPAnZrn9xyV/sG4Hv6DTN8jo0VMqHzcq75D1Fktobn1Mqe6IILfzf7exTMK1Gr/81+znRo1KOlcDRSVz4ansAcUOxHvi+mDI1nXDrgGVzAf0BrCuavW1tC27wNU1E5F9PypNzlF7nHwBsrurD
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR08MB5309.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: NPLdtRKsV6CuNuMYvWnBQYpIOw8ZKTgUVKKLcMkN/dLgE8g909p7AriKvjB+3DWwBE4682Lxmf/Bqfe5FNG3qe7+GWEkTndDb0VjFMMatm4ZBWRHEYEpCBZmoggTOpjteFRjzb4tQ04iEGJFFLtTCzORw4ruV2Z2o8upAMMEnLh4eUamEmUEHFbHk+NcW1MVM4eMYt9gokXRGEhlUHPfTmuRJKHIZMFL5D3vz9PnYX4cDJC+X1nWj6HEsraxCfBL33v8k2RYRx37ZyFtGUM8J8UvfCeUY1PHB8OmImw9HOH5GuK13OLX1vGRyEKeU6zOHl5OZtfJ2IRxVr9+O47OKBGJgADkzFmhYcEXUTKPNRBRrPyZUrZgL/q3F7oYVl4d9gyF2+KmisfjCFk0XFCt5nTG1Ra+YLOXYGoDdyrnKGWNHgM9cLdZwmJkOREbEXUsfFxQlwt4ee1pRe143s2PmtEi61RngsoJpzWgsK97K878GqqnAkmwhm+ZirkfALD75TZOhTJf9SE7LdP8XaTVuLKO2fvuzYQp2VEgGK9VDUwyvFJKVaJ2zt0tVP9ev91PsLC/Ve4VX9/J2gy2AZ90RWZpcfMSce0qZtKOpJx4BbJRtTYo7QPhchpXUDKG5us3/bjwaxwHjo+dcQ8glXR8J78bA/ewsvwD9xN5RZnNIHZ+4rxNEIvgvvth8U89kYaGDdpJ/erPpVfrjdK3pOWpsz9Jcz9X0ajvLSFCoVz8izPLBd0OchI/Y4eFJlIYaUMp6MvpPBBF+tzXHjwbAKQPK4hsK/8OSQLTV8H8uDuEmQF0ANiMGtBNUEvCgbah1Rb64yKKynECyfCsLn3xgTKg6mqt5jcq092ukDimWuf0Sl7qalmgkYGC9P3SRfZVE/NVcxtT1BTA5ashnLKfnZLBC1DpQ8yKwW44uZbgJCg4eGFTbyqDqLP+30SjgWWy6/m/JwZ5l3qTpksiGOCkpYHcZCG7e6G9KNitGl6E5jrTlSdT3DgcEvIqFTLYPF4kSCsZxh82KOxJROIuLWh++ef8ccSEJwfPFSUcqa7YbierNYymBYw/mCgT4aqFdHbaiW+r+GvWDQr/KD78bUJCNzvnN2bhW+noHtVtXERHYaD9eHojFDkx8QHtKCYuiBnhybjhpb4Lbki3TJ06sq7lju4CeADvN2YZRTz4Ea4c1tr0FaVDkVJDqidNnzALfVzI9o9/nGFk+of1ANSZk+WQgLjaSMxcJOzCtQzvFuwjjy1HD/zeDAMff5M1/4zdbUb1RNZfxtNZ7mdIReLUDJ2HixGYjnyiahokRW1BgahOn9/Vj29SghD8eajeRlIRVCJG7EklvV4ekuE2OoynDWYT7QnfyReq8M2caYznZ3r5F4loWoVPham1Oi26yd7IzH6YsMuGJSpfsIQdtnhGha+7dBETIxsViSQ9I3RCzIpwXeEqKCCHAPMKnz5o1jaxal1+mcUzC2Ya7wxGDWjUwgA/2dbON57dl/WuWf6aEU6RnKjAOKY6Sh1t9l3LDMvoCLsePMUrcrg7XEM2lAwH5SlOkEtaND3y4QMGDmywTXRLvEK07EB+pzs3hjHwwrJHRcNO8q5b
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB5309FF38C971B67FDAD9D1E691FA2VI1PR08MB5309eurp_"
MIME-Version: 1.0
X-OriginatorOrg: um.es
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR08MB5309.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 29c9b068-299f-4e1a-84ed-08dd5025cf81
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2025 14:09:08.1396 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0aba6521-ce52-44d7-b06c-c6016ff2c30b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ykBMBONXpXKRMWBJi09hbs8m8O19c6R7YVrljt5KwN9De/qdRLJVyIQr4jh7Mdv8N2YGQnvBnF5O7pVsguth1w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR08MB9032
Message-ID-Hash: BOAWH2ZWBUACNEL3K4METNSQOWR2DO6J
X-Message-ID-Hash: BOAWH2ZWBUACNEL3K4METNSQOWR2DO6J
X-MailFrom: francisco.lopezg@um.es
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Lake] LAKE-EDHOC-PSK Potential Issue
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/YC0GWbcIsW3Gk9XJbZXLRVE8fXM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Owner: <mailto:lake-owner@ietf.org>
List-Post: <mailto:lake@ietf.org>
List-Subscribe: <mailto:lake-join@ietf.org>
List-Unsubscribe: <mailto:lake-leave@ietf.org>

Hi all,
I have identified a potential issue in the EDHOC-PSK draft specification (draft-ietf-lake-edhoc-psk-02).
The issue is in the calculation of Transcript Hash 3 (TH_3), which is defined as follows:
TH_3 = H( TH_2, PLAINTEXT_2, CRED_PSK )
TH_3 is then used to generate KEYSTREAM_3:
KEYSTREAM_3 = EDHOC_KDF( PRK_3e2m, TBD, TH_3, ID_CRED_PSK length )
KEYSTREAM_3 is used by the Initiator to encrypt ID_CRED_PSK before sending it in message_3. Consequently, the Responder needs to derive the same KEYSTREAM_3 to decrypt ID_CRED_PSK when processing message_3.
The issue is that TH_3 already includes CRED_PSK. However, the Responder requires KEYSTREAM_3 to decrypt ID_CRED_PSK and determine which PSK should be used. This creates a circular dependency:

  1.  To derive KEYSTREAM_3, the Responder must first compute TH_3.
  2.  Computing TH_3 requires CRED_PSK, which depends on knowing the correct PSK.
  3.
However, the Responder can only determine the correct PSK after decrypting ID_CRED_PSK using KEYSTREAM_3.

Best regards,
Francisco.

v2.31.3 | Report a Bug | By Email | System Status