[noise] DoS *is* a problem

Jason A. Donenfeld Jason at zx2c4.com
Sat Nov 21 05:59:06 PST 2015


On Sat, Nov 21, 2015 at 2:28 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> The second, and more significant, mitigation is that when the responder
> sends the cookie back to the initiator, it authenticated-encrypts it,
> taking as a key a combination of the responder's public key, optionally the
> PSK too, and the initial HMAC that was sent in the initiator's first
> handshake initiation.


Do I have to worry about nonces here for any reason? I would think not,
since it mixes in the initial HMAC, which is random. And the data its
encrypting is the result of an HMAC, so I don't risk leaking the
responder's cookie key there. But, just making sure...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151121/8b714fd6/attachment.html>


More information about the Noise mailing list