New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Computational analysis of EDHOC Sig-Sig - improvement suggestions for transcript hashes #317
Comments
Change implementing the change to TH_3 and TH_4 suggested by Marc and Felix in #317
Hi! When reading:
I understood that a kid would map to multiple keys, but all of those keys would be owned by the same party. From what I understand, the attack described here only occurs when one kid maps to keys owned by distinct parties. (I think the update proposed is no matter what a good idea though, it strictly improves things) |
My interpretation of COSE is that one kid might map to keys owned by distinct parties. Seems hard to guarantee anything about kids unless there is a single authority that controls all the kids. as soon as there are several authorities there might be collisions. That all the keys with a certain kid belongs to a single party would require that a single authority determines all the kids or that some additional header parameter like kid_context is used. I think the whole reason that kid_context was introduced was to separate between different authorities determining kids. Maybe it would be good to clarify things in I-D.ietf-cose-rfc8152bis-struct |
Thanks for this quick feedback! |
I sent a mail to COSE suggesting that this should maybe be clarified https://mailarchive.ietf.org/arch/msg/cose/WfEA8SHlLtK8yxFxmrb0PiDnsys/ |
I am trying to precisely detail step by step the missbinding attack to understand how to improve our symbolic models and capture it, and I am not precisely able to. My first idea would require to be able to alter the signature under the xor, is this indeed the needed capability? Marc, could you give the details on how it would be carried out? |
Below is my mail to LAKE on the topic
|
|
The MAC-then-Sign version of SIGMA-I is proven to be secure. If the above attack is possible in EDHOC it seems interesting to make a comparision between EDHOC SIG-SIG and SIGMA-I:
|
Hi all,
Identity mis-binding attack on MAC-then-SIGn and unforgeability requirements.
Indeed MAC-then-Sign is proven secure, but the attack concerns the particularity of having the MAC under the signature, which is not completely considered in the previous analysis. Quoting the above paper (https://link.springer.com/chapter/10.1007/3-540-45708-9_10):
However, in the context of an identity mis-binding attack, we are concerned about the possibility of computing Based on the existing SIGMA analysis, the requirement for the signature scheme is unforgeability. Namely, the signature is unforgeable "on the average," i.e. for a random key. However, this does not exclude the possibility of "weak" keys, which are, for instance, a key pair
Why doesn't this attack work on the "normal" SIGMA? With the MAC under the signature, peers do not have a notion of verifying a MAC and do so only implicitly via a successful signature verification. In the "normal" SIGMA, the MAC is explicitly verified; hence the attack above doesn't work even with a pathological signature scheme. Obviously, EDHOC doesn't quite use such a pathological scheme; however, this shows that this case has to be carefully analysed, hence the suggestion for the transcript hashes. |
So does this identity misbinding attack mean that IKEv1 and IKEv2 does not provide authentication, aliveness, peer awareness, etc? |
Hi @emanjon apologies for the delayed response, as I am coming towards the end of my thesis project I need to finalize my writing… From a theoretical perspective, at least, it appears that we require some notion of exclusive ownership to prove security of the MAc-then-SIGn, this also depends on how it is instantiated. The EDHOC instantiation seems to do the right thing. |
@charlie-j, Also apologies for providing the requested details, late. I wondered whether you had the chance to analyze this issue and what results you get from your formal modeling. |
Our model did in fact already cover such weak keys for signatures, and in the case of EDHOC such attack is impossible, from what I understand mostly because the attacker cannot perform a MiTM as it cannot compute the encryption keys of the multiple messages. Only in message 2, which is not integrity protected, could the attacker hope to change the signature such that if it was able to go by xoring from the ID_CRED_R to an ID pointing to some weak key, the signature check would go through for some other identity. But then the hash transcript would change and the key exchange would never go further, as the initiator would then produce a message encrypted with a key that neither the attacker nor the reponder can compute. |
Dear @charlie-j , thanks for the feedback and the insights on how your formal model captured weak keys. More precisely, from the assumption that ID_CRED may hint at multiple credentials and associated public keys. The verification process would look something like the following pseudo-code(here for the initiator)
If the adversary would register a specially weak key |
I did understand your attack, and I was trying to essentially lift the attack you are describing to one that does not require the multiple CRED_R for one ID_CRED_R assumption. I was trying to do that, because under the multiple ID_CRED assumption, the authentication property becomes weird. If we ask for authentication over the ID_CRED and the attacker can register its own pk for an honnest ID_CRED, this already breaks authentication. If we ask for authentication over the pks, then in your attack, the initiator is simply using an attacker key, for which we have no guarantees, and it is thus not breaking the authentication property. |
Apologies, I misunderstood the previous message. But we had a similar observation if using unique ID_CRED. These attacks don't really work. But adding the credentials to the transcript hashes strengthen the guarantees. |
No worries, I was unclear. |
No disagreement and the PR #318 is included in edhoc-16 |
Following our last email and in preparation for the IETF 114, we would like to offer a suggestion from our computational analysis of EDHOC. I will first state the suggestion and then give some motivation and justification.
Suggestion: Include the authentication credentials in the transcript hash computation.
Namely, we suggest modifying the transcript hashes TH_3 and TH_4 to include the credential of the peer that authenticate themselves. More precisely, we propose that protocol participants compute:
Similarly, we propose that the computation of TH_4 becomes
The philosophy behind this proposal is to make explicit the identity of the peer that authenticated themselves, even if those identities are not sent. (One can think of this as expanding TH to include the actual identity credentials, which the sent ID_CRED values hint to but do not uniquely determine). This is to simplify arguing agreement on the communication peer.
Motivation and justification:
We analysed EDHOC in the Multi-Stage Key exchange model, following the work [Dow21] of Dowling et al.
We suggest the change above as an improvement towards ensuring explicit authentication, which we observed when analysing the following excerpt from the draft (draft-14, section 3.5.3):
"As stated in Section 3.1 of [I-D.ietf-cose-rfc8152bis-struct], applications MUST NOT assume that 'kid' values are unique, and several keys associated with a 'kid' may need to be checked before the correct one is found. Applications might use additional information such as 'kid context' or lower layers to determine which key to try first. Applications should strive to make ID_CRED_x as unique as possible, since the recipient may otherwise have to try several keys."
We modelled the above statement conservatively and considered that any ID_CRED might reference multiple identities and associated credentials. A potential consequence of this modelling is that there may be ambiguity about the identity of the peer who authenticated themselves, which needs careful consideration. For instance, if ID_CRED_R refers to both CRED_R and CRED_R', the initiator that tries multiple public keys could conclude that it is talking to R'. If this occurs, the protocol would still come to completion since the transcript hash won't change.
The standard unforgeability notion of signature schemes would not necessarily prevent such a scenario [1], and our analysis relies on strictly stronger notions. Concretely we require that signature schemes in EDHOC provide explicit ownership. In our model and proof, we had to rely on the relatively strong notion of "Malicious Universal Exclusive Ownership" to capture explicit authentication for EDHOC as currently specified. To the best of our knowledge, M-S-UEO was only studied and proven for Ed25519 as implemented in Libsodium[Bre20]. Therefore, relying on a weaker notion, "Universal Exclusive Ownership", is desirable.
Adding the credentials in the transcript hash would prevent identity mis-binding attacks since divergence in the identity of the authenticated host would lead to diverging transcript hashes and, therefore, different derived keys. Furthermore, we can rely on weaker notions of explicit ownership from a proof standpoint. Fortunately, Ed25519 provides explicit ownership [Bre20], and [Po05] already showed that the inclusion of the credentials along with the message in the signing process, as is done already in EDHOC, provides explicit ownership and prevents ambiguity. For ECDSA, care must be taken in the implementation so that this construction guarantees exclusive ownership. Overall, we assume that CBOR encoding is unambiguous.
We would very much appreciate your feedback and thoughts on the discussion above, and we are happy to answer any questions you might have.
Kind regards,
Marc Ilunga (and Felix Günther)
[1] The need for a notion strictly stronger than standard EUF-CMA security for signature schemes also arises in the basic SIGMA protocol with the MAC under the signature. One needs that signature scheme is not only unforgeable for a random key but for all keys. Otherwise, an attacker may carry an identity mis-binding attack.
[Dow21] Dowling et al. "A Cryptographic Analysis of the TLS 1.3 Handshake Protocol", https://eprint.iacr.org/2020/1044.pdf
[Po05] Pornin and Stern, "Digital Signatures Do Not Guarantee Exclusive Ownership", https://link.springer.com/chapter/10.1007/11496137_10
[Bre20] Brendel et al. "The Provable Security of Ed25519: Theory and Practice", https://eprint.iacr.org/2020/823.pdf
https://mailarchive.ietf.org/arch/msg/lake/BTxPdJl0Z8ylSe1P7i0BFx1T_0o/
The text was updated successfully, but these errors were encountered: