Open ArchanaaSK opened 4 years ago
Thanks @ArchanaaSK. You are right, it seems that the MAC verification could be performed first. We will take your remark into account in a future version of the document.
(an update)
Thank you. Generally speaking, I agree. However in this particular case, in order to check the MAC, you need to know the K_A key, which is only feasible when you know the id_A secret identifier (step 4 in section 6.2). We could perform steps 7 and 8 before 5 and 6, yes, but that’s all. Deciding what is appropriate is an implementation matter.
According to the Specification, MAC is added to HELLO messages to prevent integrity attacks.
In ROBERT, the HELLO message verification by the server is performed last. In infected user declaration phase MAC verification is step 8 and in exposure status request phase MAC verification is step 5.
Shouldn't the MAC verification should be step 1 after the message is parsed and information is extracted? Ideally, to efficiently reject modified or corrupted messages, MAC should be verified first before any other step. This is typically done other protocols.