[noise] Resumption PSKs

str4d str4d at i2pmail.org
Wed Jun 13 17:22:44 PDT 2018 

On 06/14/2018 08:18 AM, Trevor Perrin wrote:
> On Wed, Jun 13, 2018 at 4:40 PM, Christopher Wood <
> christopherwood07 at gmail.com> wrote:
> 
>> On Tue, Jun 12, 2018 at 10:20 AM Trevor Perrin <trevp at trevp.net> wrote:>
>> So the following sketch derives an Additional Symmetric Key (ASK) "master
>> key" from HKDF, which can then be used to create chains at a later point.
>>>
>>> The idea is that we can use this during the handshake as well as during
>> Split().  We haven't used HKDF info before, but using it now means that
>> ask_master derivation just requires a single extra HMAC, since it can share
>> the HKDF-Extract step with the existing HKDF:
>>>
>>> # During handshake
>>> ck, k = HKDF(ck, ikm)
>>> ask_master = HKDF(ck, ikm, info="ask")
>>>
>>> # During split
>>> transport1, transport2 = HKDF(ck, zerolen)
>>> ask_master = HKDF(ck, zerolen, info="ask")
>>>
>>> # Either case
>>> create_chains(labels):
>>>   ask_chain1 = HMAC(ask_master, h || label1)
>>>   ask_chain2 = HMAC(ask_master, h || label2)
>>>   ask_chain3 = HMAC(ask_master, h || label3)
>>>   ...
>>>   delete ask_master
>>
>> This is quite nice.

I agree :)

> Maybe an API vaguely like this?
> 
> EnableASK():
>   - sets a boolean that causes ASK master keys to be derived, both during
> the handshake and at the end of it.
> 
> InitializeASK(labels):
>   - Assuming ASK was enabled, and there is a non-empty ASK master key,
> derives a set of ASK chain keys from the ASK master key and the input
> labels, then deletes the ASK master key.  This could be called multiple
> times, including after the handshake and during it, and replaces any
> previous ASK chains when called.
> 
> GetASK(label)
>  - Assuming ASK is enabled and initialized, returns the next key from the
> appropriate chain, and advances the appropriate ASK chain key, deleting the
> previous chain key.
> 
> So if you don't EnableASK(), you don't pay any costs for deriving ASK
> master keys.  If you do enable it, they you can call InitializeASK/GetASK
> either during a handshake or after it, to get ASKs with the same level of
> security as the current encryption keys.
This API is very similar to how my current draft implementation (of the
previous proposal) on snow is organised. I'll massage it to implement
the above proposal, and see if there are any pain points.

Cheers,
str4d

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180614/d719608b/attachment.sig>

More information about the Noise mailing list