[noise] Resumption PSKs

Christopher Wood christopherwood07 at gmail.com
Tue Jun 12 10:04:37 PDT 2018


On Tue, Jun 12, 2018 at 9:22 AM David Wong <davidwong.crypto at gmail.com> wrote:
>
> From an API perspective, the cleanest and the retro-compatible way is
> to not change Split() and have Split() iterate the chaining key as I
> pointed out in my first reply to this thread.

+1 to this suggestion.

>
> Sure applications can delete the handshakeState, but the ones that
> won't delete the handshakeState now have a handshakeState that is
> benign (since the chainkey has been iterated and cannot be used to
> derive the session keys anymore) and if they do want to use the
> functionality that str4d is looking for then they can preserve the
> handshakeState on purpose.
>
> Now if libraries delete the handshakeState themselves we have an
> issue, but if this proposition is accepted than up-to-date libraries
> can have Split iterate the chaining key and not delete the
> handshakeState.
>
> Note that for the handshakeState to be completely benign, the private
> keys associated to ephemeral keys still need to be removed. I think
> this is a good argument to point out in relevant places --maybe
> Write/ReadMessage()-- that a DH(e, something) should remove the
> e_private as well.
>
> David


More information about the Noise mailing list