We are currently designing a simple Challenge-Response Authentication Mechanism (CRAM) protocol based on symmetric cryptography that would be used on the constrained embedded devices that would operate in a closed short-range network.
Mutual authentication is desired. The security capabilities offered by the devices are for now unknown. Hence, we are focusing primarily on only using the AES protocol during the authentication. In case we can also use the e.g., a MAC protocol, we would extend it during the afterwards secure channel communication.
We assume that both devices have the appropriate symmetric keys. Challenges (chg_x) are intended to be 16 bytes and randomly generated using a true RNG.
The sequence flow of the protocol would be:
- $A \rightarrow B : id_A, chg_A $
- $A \leftarrow B : id_B, enc(chg_A), enc(chg_B)$
- $A \rightarrow B : dec(enc(chg_B))$
The device $A$ would verify its challenge during the reply and also decrypt and send the challenge from the other device. The encryption on the device $B$ of its challenge $chg_B$ is done to avoid reflection attacks as indicated in this question.
For the secure channel afterwards, we would plan to use a $ KDF(K||chg_A) $ to derive session keys.
My questions are:
- would this protocol be sufficient for the intended scenario or is still vulnerable to some other attacks?
- is it still desirable to also have Hash or MAC during the authentication in some capacity to alleviate potential threats?