[noise] Another spec issue: remote ephemeral keys

Rhys Weatherley rhys.weatherley at gmail.com
Sat Apr 16 00:05:49 PDT 2016


On Sat, Apr 16, 2016 at 3:37 PM, Trevor Perrin <trevp at trevp.net> wrote:

> A hostile party could always downgrade the security of its own
> handshake, e.g. by using an ephemeral with a known/published private key.
>
> Using a null ephemeral public key shouldn't accomplish anything more than
> that.


True.  I'm looking at it from the point of view of mass surveillance where
the hostile party has hacked an app on an app store.  An implementation
that is using a non-null "snooper's key" makes that traffic visible only to
the snoopers in the know about that specific key (or set of keys).

The null key (or any point with small order) on the other hand makes the
traffic visible to *all* snoopers, even those that didn't hack the app.
It's so obviously bad that a blanket policy of "I'm not talking to you if
your key is that bad" is probably wise.

Maybe I'm just paranoid.  I've spent the last week running ridiculous
attack scenarios against Noise-C in my head to try to harden it. :-)

Cheers,

Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160416/8202f32a/attachment.html>


More information about the Noise mailing list