MAC verification at server end is performed last, should be first

[ArchanaaSK]

According to the Specification, MAC is added to HELLO messages to prevent integrity attacks.

MAC_A;i : a HMAC − SHA256(KA; c1 j MA;i) truncated to 40 bits (c1 is the 8-bit prefix "01"). This field is used to prevent integrity attacks on the HELLO messages.

In ROBERT, the HELLO message verification by the server is performed last. In infected user declaration phase MAC verification is step 8 and in exposure status request phase MAC verification is step 5.

Shouldn't the MAC verification should be step 1 after the message is parsed and information is extracted? Ideally, to efficiently reject modified or corrupted messages, MAC should be verified first before any other step. This is typically done other protocols.

[PRIVATICS-Inria]

Thanks @ArchanaaSK. You are right, it seems that the MAC verification could be performed first. We will take your remark into account in a future version of the document.

[PRIVATICS-Inria]

(an update)

Thank you. Generally speaking, I agree. However in this particular case, in order to check the MAC, you need to know the K_A key, which is only feasible when you know the id_A secret identifier (step 4 in section 6.2). We could perform steps 7 and 8 before 5 and 6, yes, but that’s all. Deciding what is appropriate is an implementation matter.