Formal Analysis of EDHOC Key Establishment for Constrained IoT Devices

Constrained IoT devices are becoming ubiquitous in society and there is a need for secure communicationprotocols that respect the constraints under which these devices operate. EDHOC is an authenticated keyestablishment protocol for constrained IoT devices, currently being standardized by the Internet EngineeringTask Force (IETF). A rudimentary version of EDHOC with only two key establishment methods was formallyanalyzed in 2018. Since then, the protocol has evolved significantly and several new key establishment meth-ods have been added. In this paper, we present a formal analysis of all EDHOC methods in an enhancedsymbolic Dolev-Yao model using the Tamarin tool. We show that not all methods satisfy the authenticationnotion injective of agreement, but that they all do satisfy a notion of implicit authentication, as well as Per-fect Forward Secrecy (PFS) of the session key material. We identify other weaknesses to which we proposeimprovements For example, a party may intend to establish a session key with a certain peer, but end up es-tablishing it with another, trusted but compromised, peer. We communicated our findings and proposals to theIETF, which has incorporated some of these in newer versions of the standard.