[noise] Another spec issue: remote ephemeral keys
Trevor Perrin
trevp at trevp.net
Sat Apr 16 08:18:37 PDT 2016
On Sat, Apr 16, 2016 at 3:07 AM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> Just to beat this dead horse one more time before I shut up. :-)
>
> I wrote a test to investigate the impact of null keys (ephemeral or static)
> on the chaining key. For this purpose I classify "entropy collapse" as a
> scenario where all DH outputs are the null value, making the chaining key
> completely deterministic even if some of the inputs were non-null.
That's a nice list, but I'd describe it as listing the sets of private
keys which, if revealed, would allow decrypting the session.
My contention is there's no important difference between:
(a) public key is small-order, thus always produces a fixed output,
e.g. the "null" public key
(b) public key corresponds to a published private key which everyone
knows, thus always produces a known output
You're right that in the (b) case the session keys would still be
randomized, but I don't think there's a meaningful difference between
a compromised deterministic key and a compromised randomized key.
We've taken care in 8.1 Pattern Validity to ensure null public values
can't affect the randomized use of non-compromised keys. And we've
take care in the "channel binding" discussion to ensure sessions have
unique identifiers (h) even if they have shared keys.
So I still don't think any more checks are needed.
Trevor
More information about the Noise
mailing list