[noise] Deriving resumption PSKs (was: SAS (was: Explicit nonces (for lossy transports))
Trevor Perrin
trevp at trevp.net
Sun Jul 30 00:13:27 PDT 2017
On Sun, Jul 30, 2017 at 5:48 AM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Sun, Jul 30, 2017 at 2:49 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> Since we recently added an optional 3rd output to HKDF for
>> MixKeyAndHash(PSK), it's now less painful to derive extra keys based
>> on the output of HKDF in Split(). So I'll propose using a chain of
>> HKDF to derive numbered PSKS (0, 1, 2, ...):
>>
>> EK = 3rd output from Split().HKDF()
>> CK_PSK, PSK_0 = HKDF(EK, "PSK")
>> CK_PSK, PSK_1 = HKDF(CK, "")
>> CK_PSK, PSK_2 = HKDF(CK, "")
>
>
> I think you meant CK_PSK instead of CK in those last two lines.
Oops, yes.
> But other
> than that, I'm happy with this approach.
Sweet, I think we've got most of the pieces for PSK resumption, maybe
even for semi-ephemeral / semi-static resumption, so I'll try to start
a new spec on that soon.
Trevor
More information about the Noise
mailing list