[noise] new branch: psk2

Trevor Perrin trevp at trevp.net
Mon Nov 16 00:48:10 PST 2015


On Sat, Nov 14, 2015 at 3:48 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Sat, Nov 14, 2015 at 8:16 AM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> This makes it crucial for each party's first message to begin with
>> "e", so I reordered "s, e" -> "e, s" in a couple patterns, and
>> explained this in Section 6.1 "Pattern validity".
>>
>>  * A more subtle "invalid" pattern would be one that sent encrypted
>> data without first doing a DH with the sender's ephemeral against any
>> public keys the remote party has sent.  Example:
>>
>>  -> e, s
>>  <- e, dhee, dhss
>
> Are there any _useful_ patterns where these patterns would occur? Or
> is it possible to work around this in pretty much all scenarios?

I can't think of a great reason you'd want to introduce an ephemeral
and not get the benefits of both forward-secrecy (dhee) and
authentication (dhes) from it.


> But, I would suggest in screech (and other implementations too), you
> implement this validation in the handshake constructor,

Yeah, I was thinking of that too.


Trevor


More information about the Noise mailing list