Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

EDHOC is a New Security Handshake Standard: An Overview of Security Analysis

Elsa López Pérez, Inria Göran Selander, John Preuß Mattsson, Thomas Watteyne, Mališa Vučinić

TL;DR

EDHOC provides a lightweight, SIGMA-based authenticated key-exchange tailored for constrained IoT, enabling a compact DH key agreement framework that complements OSCORE. The paper synthesizes formal symbolic and computational analyses performed up to RFC $9528$/$9529$, detailing vulnerabilities (e.g., $PRK_{4e3m}$ reuse, identity misbinding, KCI on $K_3$) and the mitigations that led to stronger transcripts and a robust final key derivation involving $TH_4$. It highlights a three-message handshake with an optional fourth and a two-stage key schedule ($EDHOC_Extract$/$EDHOC_Expand$) that produce session keys like $K_2$, $K_3$, and $PRK$ values via $EDHOC_KDF$, with cryptographic strength targets of at least $128$ bits. The analyses confirm strong performance for constrained deployments, note the improved security when including the final transcript hash and longer MACs or an additional message, and point to future work on post-quantum variants and PSK-based rekeying paths requiring formal validation. Overall, the paper demonstrates that EDHOC, as standardized, achieves secure, compact handshakes suitable for IoT while guiding ongoing enhancements through formal analysis.

Abstract

The paper wraps up the call for formal analysis of the new security handshake protocol EDHOC by providing an overview of the protocol as it was standardized, a summary of the formal security analyses conducted by the community, and a discussion on open venues for future work.

EDHOC is a New Security Handshake Standard: An Overview of Security Analysis

TL;DR

EDHOC provides a lightweight, SIGMA-based authenticated key-exchange tailored for constrained IoT, enabling a compact DH key agreement framework that complements OSCORE. The paper synthesizes formal symbolic and computational analyses performed up to RFC /, detailing vulnerabilities (e.g., reuse, identity misbinding, KCI on ) and the mitigations that led to stronger transcripts and a robust final key derivation involving . It highlights a three-message handshake with an optional fourth and a two-stage key schedule (/) that produce session keys like , , and values via , with cryptographic strength targets of at least bits. The analyses confirm strong performance for constrained deployments, note the improved security when including the final transcript hash and longer MACs or an additional message, and point to future work on post-quantum variants and PSK-based rekeying paths requiring formal validation. Overall, the paper demonstrates that EDHOC, as standardized, achieves secure, compact handshakes suitable for IoT while guiding ongoing enhancements through formal analysis.

Abstract

The paper wraps up the call for formal analysis of the new security handshake protocol EDHOC by providing an overview of the protocol as it was standardized, a summary of the formal security analyses conducted by the community, and a discussion on open venues for future work.
Paper Structure (11 sections, 3 figures, 4 tables)

This paper contains 11 sections, 3 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Security Goals
  3. The EDHOC Protocol
  4. A Primer on SIGMA
  5. EDHOC Additions to SIGMA
  6. EDHOC Protocol Outline
  7. Key Schedule
  8. Security Analysis of EDHOC
  9. Discussion
  10. Conclusion
  11. Acknowledgments

Figures (3)

  • Figure 1: Message flow of the SIGMA protocol. The blue boxes denote additions to the SIGMA-I variant. The yellow boxes denote additions to the MAC-then-Sign variant.
  • Figure 2: The EDHOC message flow. The fields (X, $G^X$) (resp. (Y, $G^Y$)) represent ephemeral private and public key of the Initiator (resp. Responder). Field $CRED_I$ (resp. $CRED_R$) denotes the authentication credentials containing the public authentication keys of I (resp. R). Method is an integer (0-1-2-3) denoting the authentication method (see Table \ref{['tab:method_EDHOC']}). Cipher Suites is an ordered set of preferred algorithms (see Table \ref{['tab:ciphersuites']}). If method is either 0 or 1 for the Initiator (resp. 0 or 2 for the Responder), then Sig or MAC equals Sig. The fourth message is optional (represented with a dashed line).
  • Figure 3: The EDHOC key schedule as standardized in RFC 9528, adapted from Vučinić et al.vucinic22lightweight.