(ii) An attacker can associate numerous sessions and perform attacks for the symmetric variant of the EDHOC protocol by using the same preshared key identifier.
(iii) Only AD3 (for both symmetric and asymmetric variants) satisfies secrecy, perfect forward secrecy, and integrity at both the time of message arrival and the conclusion of the protocol.
(ii) Lack of verification of ID_CREDR of Msg2 by the initiator.
(iii) When the responder rejects recommended cipher suites, a security concern might arise because of a lengthy metasession spanning many EDHOC sessions.
Ours
(i) A resource exhaustion attack due to a significant amount of Msg1 sent to the responder. The responder does not authenticate Msg1 before computing expensive operations, hence depleting its resources.
(ii) The responder’s failure to ensure the integrity of Msg1 and the difficulty of the initiator in validating Msg2 threaten the security of the protocol.
(iii) A partial privacy attack that exposes the responder’s identity. Beside the mere violation of the secrecy of the responder’s distinctiveness, it can enable the attacker to reduce the difficulty of stealing the public authentication keys by one step. Moreover, the privacy of ID_PSK, in symmetric-key option, is also violated as it is transmitted in plain text.
