[noise] non replayable XK/KK?
Justin Cormack
justin at specialbusservice.com
Fri Feb 2 03:20:02 PST 2018
On 31 January 2018 at 16:37, Trevor Perrin <trevp at trevp.net> wrote:
> - the responder wants to defer the DH calculation for
> denial-of-service resistance or other performance reasons
Thinking about this, I can think of some use cases where you might
want to defer DH,
eg waiting for confirmation that sender was not spoofing their address.
eg from
ND(rs):
<- s
...
-> e
<- e, ee, es
We can defer this to
ND(rs):
<- s
...
-> e
<- e
-> ee, es
If there is no message being sent by the responder after the handshake
this can be done automatically,
as it does not actually affect bits on the wire. This is convenient as
it means we don't need to have an
explicit different pattern, but it might be helpful for users to be
able to indicate where they do not want
messages to be sent, as the security properties are not good for the
kind of message.
eg could define
ND00(rs):
<- s
...
-> e, 0
<- e, ee, es, 0
where the "0" indicates a message will not be accepted or sent here.
The DH can then be deferred.
Thinking that the ability to specify that we will not send or receive
message content at various stages
in the handshake may be generally useful.
Justin
More information about the Noise
mailing list