A comprehensive, formal and automated analysis of the EDHOC protocol
Charlie Jacomme, Steve Kremer, Elise Klein, and Maïwenn Racouchot. A comprehensive, formal and automated analysis of the EDHOC protocol. In 32nd USENIX Security Symposium (USENIX Security'23), USENIX Association, Anaheim, CA, USA, August 2023.
Download
Abstract
EDHOC is a key exchange proposed by IETF's Lightweight Authenticated Key Exchange (LAKE) Working Group (WG). Its design focuses on small message sizes to be suitable for constrained IoT communication technologies. In this paper we provide an in-depth formal analysis of EDHOC-draft version 12, taking into account the different proposed authentication methods and various options. For our analysis we use the SAPIC+ protocol platform that allows to compile a single specification to 3 state-of-the-art protocol verification tools (PROVERIF, TAMARIN and DEEPSEC) and take advantage of the strengths of each of the tools. In our analysis we consider a large variety of compromise scenarios, and also exploit recent results that allow to model existing weaknesses in cryptographic primitives, relaxing the perfect cryptography assumption, common in symbolic analysis. While our analysis confirmed security for the most basic threat models, a number of weaknesses were uncovered in the current design when more advanced threat models were taken into account. These weaknesses have been acknowledged by the LAKE WG and the mitigations we propose (and prove secure) have been included in version 14 of the draft.
BibTeX
@inproceedings{JKKR-usenix23, abstract = {EDHOC is a key exchange proposed by IETF's Lightweight Authenticated Key Exchange (LAKE) Working Group (WG). Its design focuses on small message sizes to be suitable for constrained IoT communication technologies. In this paper we provide an in-depth formal analysis of EDHOC-draft version 12, taking into account the different proposed authentication methods and various options. For our analysis we use the SAPIC+ protocol platform that allows to compile a single specification to 3 state-of-the-art protocol verification tools (PROVERIF, TAMARIN and DEEPSEC) and take advantage of the strengths of each of the tools. In our analysis we consider a large variety of compromise scenarios, and also exploit recent results that allow to model existing weaknesses in cryptographic primitives, relaxing the perfect cryptography assumption, common in symbolic analysis. While our analysis confirmed security for the most basic threat models, a number of weaknesses were uncovered in the current design when more advanced threat models were taken into account. These weaknesses have been acknowledged by the LAKE WG and the mitigations we propose (and prove secure) have been included in version 14 of the draft.}, address = {Anaheim, CA, USA}, author = {Jacomme, Charlie and Kremer, Steve and Klein, Elise and Racouchot, Ma{\"\i}wenn}, booktitle = {32nd USENIX Security Symposium ({USENIX} Security'23)}, month = aug, publisher = {{USENIX} Association}, title = {A comprehensive, formal and automated analysis of the EDHOC protocol}, year = 2023, acronym = {{USENIX} Security'23}, nmonth = 8, }