M-AuRA: Mutual Authentication and Remote Attestation over EDHOC

The proliferation of Internet-of-Things (IoT) devices in critical infrastructure requires robust security mechanisms to verify device integrity and trustworthiness. Remote Attestation (RA) is a security mechanism for validating the software and hardware state of remote devices. Existing RA solutions for resource-constrained IoT devices lack comprehensive frameworks for secure attestation channels and focus primarily on local evidence generation without addressing end-to-end security. This paper introduces M-AuRA, a lightweight RA solution that fills these gaps by leveraging the newly standardized Ephemeral Diffie-Hellman over COSE (EDHOC) protocol. M-AuRA seamlessly integrates attestation with authentication, enabling both unilateral and mutual attestation modes while maintaining minimal resource overhead. Our framework specifies how to transport existing attestation mechanisms in parallel with secure communication establishment, providing a complete end-to-end security solution for IoT deployments. We demonstrate MAuRA’s practicality through implementation on the nRF5340 microcontroller running at 64 MHz, evaluating performance across both software and hardware cryptographic back-ends. In mutual attestation mode, our implementation consumes only 4,692 B RAM and 19,350 B flash memory usage, occupying 0.9% and 1.85% of available nRF5340 resources, respectively. The four-message EDHOC exchange (45 B, 65 B, 177 B and 120 B) enables mutual trustworthiness verification in 10.46 s using software-based cryptographic back-end, or only 0.43 s with hardware acceleration, consuming 171.43 mC and 7.97 mC of charge, respectively.

In IEEE Transactions on Computers