[noise] Noise Explorer

Trevor Perrin trevp at trevp.net
Thu May 24 01:55:44 PDT 2018


On Wed, May 23, 2018 at 6:08 PM, Katriel Cohn-Gordon <me at katriel.co.uk> wrote:
> Hi all,
>
> This looks to me a bit like an unknown key-share attack against the initiator:

Hi Katriel,

Maybe I missed something, but I thought Karthik was just describing
the simple case where the sender of a message hasn't authenticated the
recipient yet.


>   - the initiator A thinks they have a session with the responder B, and
>   - there is indeed a session with the same key at the responder B, but
>   - B thinks that that session is in fact with the adversary E.
>
> Are there (authenticated) Noise protocols for which the above can happen? If so, is that intentional?

If each party's identity is a unique static public key, then I don't
think this could happen, since static public keys are included in the
transcript hash which both parties agree to.

If a static public key is used with different identities or roles,
then you'd want to include the identity/role in the prologue or
payload, to make sure both parties agreed to it.

That's a generic concern with any protocol like this.  But we could
think about adding a security consideration for it.

Trevor


More information about the Noise mailing list