[noise] Deriving additional keys
Rhys Weatherley
rhys.weatherley at gmail.com
Sat Oct 8 18:03:38 PDT 2016
On Sun, Oct 9, 2016 at 6:57 AM, Trevor Perrin <trevp at trevp.net> wrote:
> To derive an "additional" key or pair of keys, do:
> ki : initiator's post-handshake encryption key
> name : ASCII string zero-padded to 32 bytes
> K = ENCRYPT(ki, nonce=2^64-1, ad=zerolen, plaintext=zeros[32])[0..32]
> return HKDF(K, name)
>
Why does the name need to be padded? The hash that HKDF is based on will
pad anyway. Then the name can be arbitrary-length.
I was thinking that rather than the PSK being the "resumption key", "K"
could be the resumption key from which the PSK's are generated for
follow-up sessions:
PSK = HKDF(K, name || nonce)
Where "nonce" is a randomly generated value and/or timestamp sent as part
of the prologue for the new session. I was thinking that, but then I
realised that the PSK is already nonce'd with the initiator's ephemeral
public key. So, ignore that. :-)
However, my thought experiment does imply that "name" or parts thereof may
not be known until the new session starts if it contains session-specific
context:
PSK = HKDF(K, name || context)
So "K" might be the resumption key after all.
Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20161009/65b39bc8/attachment.html>
More information about the Noise
mailing list