Skip to content

Commit

Permalink
Checking G_X in EDHOC Message 1 #243
Browse files Browse the repository at this point in the history 
Removed the G_X checking that is heavy for implementations. That was a left over from the PSK mehtod.
  • Loading branch information
@emanjon
emanjon committed Feb 18, 2022
1 parent 4a8b629 commit 6de74fb
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions draft-ietf-lake-edhoc.md
View file
Expand Up @@ -785,8 +785,6 @@ The Responder SHALL process message_1 as follows:

* Decode message_1 (see {{CBOR}}).

* Verify that G_X is not equal to G_X in a simultanous EDHOC message exchange initiated by the Responder.

* Verify that the selected cipher suite is supported and that no prior cipher suite in SUITES_I is supported.

* Pass EAD_1 to the security application.
Expand Down Expand Up @@ -1169,6 +1167,8 @@ As discussed in {{SIGMA}}, the encryption of message_2 does only need to protect

Requirements for how to securely generate, validate, and process the ephemeral public keys depend on the elliptic curve. For X25519 and X448, the requirements are defined in {{RFC7748}}. For secp256r1, secp384r1, and secp521r1, the requirements are defined in Section 5 of {{SP-800-56A}}. For secp256r1, secp384r1, and secp521r1, at least partial public-key validation MUST be done.

To mititgate reflection attacks, the Initiator MUST verify that the the Responder's identity is not equal to Initiator's, e.g., by checking that ID_CRED_R was not previosly created by the Intiator. Any future EHDOC methods using e.g., pre-shared keys might need to mitigate this in other ways.

This comment has been minimized.

Sign in to view

Copy link
@marco-tiloca-sics

marco-tiloca-sics Feb 18, 2022

Collaborator

e.g., by checking that ID_CRED_R was not previosly created by the Intiator.

Just to be sure, is this equivalent to the following statement?

"For instance, the Initiator can check that it has never used and would never use such ID_CRED_R as ID_CRED_I, when acting as Initiator in an EDHOC session."

This would cover also a potential reflection attack occurring when the Initiator starts its first EDHOC session ever. In that case, the Initiator might not have "created" ID_CRED_I yet, since that can happen latest when preparing message_3.

On the other hand, this method requires an endpoint to prepare its ID_CRED_I before starting a first EDHOC execution.
## Cipher Suites and Cryptographic Algorithms {#sec_algs}

When using private cipher suite or registering new cipher suites, the choice of key length used in the different algorithms needs to be harmonized, so that a sufficient security level is maintained for certificates, EDHOC, and the protection of application data. The Initiator and the Responder should enforce a minimum security level.
Expand Down Expand Up @@ -1215,7 +1215,7 @@ The Initiator and the Responder are responsible for verifying the integrity and

The Initiator and the Responder are allowed to select the connection identifiers C_I and C_R, respectively, for the other party to use in the ongoing EDHOC protocol as well as in a subsequent application protocol (e.g., OSCORE {{RFC8613}}). The choice of connection identifier is not security critical in EDHOC but intended to simplify the retrieval of the right security context in combination with using short identifiers. If the wrong connection identifier of the other party is used in a protocol message it will result in the receiving party not being able to retrieve a security context (which will terminate the protocol) or retrieve the wrong security context (which also terminates the protocol as the message cannot be verified).

If two nodes unintentionally initiate two simultaneous EDHOC message exchanges with each other even if they only want to complete a single EDHOC message exchange, they MAY terminate the exchange with the lexicographically smallest G_X. If the two G_X values are equal, the received message_1 MUST be discarded to mitigate reflection attacks. Reflection attacks are not possible when the other endpoint's identity is verified, but could be a problem with trust on first use (TOFU) and future EHDOC methods using e.g., pre-shared keys. Note that in cases where several EDHOC exchanges with different parameter sets (method, COSE headers, etc.) are used, an attacker can affect which of the parameter sets that will be used by blocking some of the parameter sets.
If two nodes unintentionally initiate two simultaneous EDHOC message exchanges with each other even if they only want to complete a single EDHOC message exchange, they MAY terminate the exchange with the lexicographically smallest G_X. Note that in cases where several EDHOC exchanges with different parameter sets (method, COSE headers, etc.) are used, an attacker can affect which of the parameter sets that will be used by blocking some of the parameter sets.

If supported by the device, it is RECOMMENDED that at least the long-term private keys are stored in a Trusted Execution Environment (TEE) and that sensitive operations using these keys are performed inside the TEE. To achieve even higher security it is RECOMMENDED that additional operations such as ephemeral key generation, all computations of shared secrets, and storage of the PRK keys can be done inside the TEE. The use of a TEE aims at preventing code within that environment to be tampered with, and preventing data used by such code to be read or tampered with by code outside that environment.

Expand Down

0 comments on commit 6de74fb

Please sign in to comment.