[noise] Another spec issue: remote ephemeral keys

Rhys Weatherley rhys.weatherley at gmail.com
Fri Apr 15 16:10:19 PDT 2016


In section 5.3 under the description of ReadMessage():

    For "e": Sets re to the next DHLEN bytes from the
    message.  Calls MixHash(re.public_key).

That should probably read as:

    For "e": Sets re to the next DHLEN bytes from the
    message.  If "e" is the null public key value, then
    abort the handshake with an error.  Otherwise call
    MixHash(re.public_key).

While implementing ReadMessage() today, I realised that a hostile party
could downgrade the security of the handshake to "none at all" by
specifying a null ephemeral key in their first packet.  That will cause all
future encryption key values to become predictable to an eavesdropper.

It may also be worth being more explicit as to exactly what circumstances a
null static key can be used in accordance with "9.1. Dummy static public
keys".  Can every handshake pattern involving static keys use them, or only
a certain subset under certain strictly defined conditions with everything
else rejected?

Cheers,

Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160416/01c5819d/attachment.html>


More information about the Noise mailing list