Merge pull request #309 from lake-wg/Selfie-attacks-mitigation-implie…

…s-privacy-loss-for-the-Initiators Selfie attacks mitigation implies privacy-loss for the Initiators
lake-wg · Jun 29, 2022 · 0399453 · 0399453
2 parents 046b079 + a2a9f4d
commit 0399453
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/draft-ietf-lake-edhoc.md b/draft-ietf-lake-edhoc.md
@@ -1284,7 +1284,7 @@ Requirements for how to securely generate, validate, and process the ephemeral p
 
 As noted in Section 12 of {{I-D.ietf-cose-rfc8152bis-struct}} the use of a single key for multiple algorithms is strongly discouraged unless proven secure by a dedicated cryptographic analysis. In particular this recommendation applies to using the same private key for static Diffie-Hellman authentication and digital signature authentication. A preliminary conjecture is that a minor change to EDHOC may be sufficient to fit the analysis of secure shared signature and ECDH key usage in {{Degabriele11}} and {{Thormarker21}}.
 
-So-called selfie attacks are mitigated as long as the Initiator does not have its own identity in the set of Responder identities it is allowed to communicate with. In Trust on first use (TOFU) use cases, see {{tofu}}, the Initiator should verify that the Responder's identity is not equal to its own. Any future EHDOC methods using e.g., pre-shared keys might need to mitigate this in other ways.
+The property that a completed EDHOC exchange implies that another identity has been active is upheld as long as the Initiator does not have its own identity in the set of Responder identities it is allowed to communicate with. In Trust on first use (TOFU) use cases, see {{tofu}}, the Initiator should verify that the Responder's identity is not equal to its own. Any future EHDOC methods using e.g., pre-shared keys might need to mitigate this in other ways. However, an active attacker can gain information about the set of identities an Initiator is willing to communicate with. If the Initiator is willing to communicate with all identities except its own an attacker can determine that a guessed Initiator identity is correct. To not leak any long-term identifiers, it is recommended to use a freshly generated authentication key as identity in each initial TOFU exchange.
 
 ## Cipher Suites and Cryptographic Algorithms {#sec_algs}