[noise] suitably of using Noise in ICS environment
Adam Crain
jadamcrain at automatak.com
Thu Jul 14 13:18:55 PDT 2016
HI Trevor,
Following up on this thread, and not being a cryptographer, what's the
reason for including len(ad) in the HMAC calculation? Is there some sort of
attack possible if encrypt was redefined in terms of HMAC as:
ENCRYPT(k, n, ad, plaintext):
plaintext || HMAC(k, n || ad || plaintext)
instead of:
ENCRYPT(k, n, ad, plaintext):
plaintext || HMAC(k, n || len(ad) || ad || plaintext)
What does appending len(ad) accomplish?
thanks,
Adam
On Fri, Apr 29, 2016 at 1:40 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> On Fri, Apr 29, 2016 at 8:48 AM, Adam Crain <jadamcrain at automatak.com>
> wrote:
>
>>
>> I have a question regarding how Noise uses AEAD cipher modes to
>> authenticate the key agreement. Is this primarily how Noise accomplishes
>> "identity hiding"? I.e., all the key agreement payloads would be encrypted,
>> thus observers wouldn't see any payload certificates, etc?
>>
>
>
> Hi Adam,
>
> The AEAD during handshake accomplishes a few things, not just identity
> hiding, e.g.
> - encrypts and authenticates handshake payloads
> - confirms that the other party has derived the correct keys
> - confirms that the other party has the same view of handshake hash
>
> If you want authentication of data, not confidentiality, I suppose you
> could define ENCRYPT() and DECRYPT() in terms of HMAC (which Noise needs
> anyways), e.g.
>
> ENCRYPT(k, n, ad, plaintext):
> plaintext || HMAC(k, n || len(ad) || ad || plaintext)
>
>
> A lot of the Noise patterns defer sending static public keys until they
> can do it under encryption, but if that doesn't matter for you, you could
> consider patterns where all static public keys are sent in clear, like:
>
> -> e, s
> <- e, s, dhee, dhes, dhse
>
>
> Trevor
>
>
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160714/dcb9815d/attachment.html>
More information about the Noise
mailing list