[noise] certificate chains

Arvid Picciani aep at exys.org
Tue Jul 3 09:45:04 PDT 2018


it's online with a temporary key which has to be refreshed every 24h.
so yes, static is indeed unneeded if the handshake hash has the same security.
(my thought was that reusing s adds 0-RTT, but keeping it simple has
advantages too)

worst case, what are the security properties of signing the hash in NN
in the second message?

NN
   -> e
   <- e, ee [u, u(h)]
   -> [u, u(h)]

this looks identical to your proposed XXsig, except yours seems to be
signatures of the static key rather than the hash.





On Tue, Jul 3, 2018 at 6:06 PM, Trevor Perrin <trevp at trevp.net> wrote:
> On Tue, Jul 3, 2018 at 3:48 PM, Arvid Picciani <aep at exys.org> wrote:
>>> I was assuming that "s" will be used repeatedly by the client
>>
>> no, only by the server for 0-RTT.
>> the s sent in message 1 (cleartext) is not reused.
>> The fact that it exists at all is me not understanding the handshake hash well.
>> Its safety properties are not well documented in the spec.  I.e. when
>> is it safe to sign it in which pattern?
>>
>>
>> in NX for example (which would just leave out the client static key),
>> is this safe?
>>
>> NX(rs):
>>   -> e
>>   <- e, ee, s, es  [u(h)]
>>   -> [u, u(h)]
>
> Hi Arvid,
>
> It's true that we don't provide a lot of advice about signing the
> handshake hash during the handshake.
>
> Ultimately, we'd want to handle this as part of Noise itself, rather
> than having people adding this in handshake payloads.
>
> For example, we might have something like a "sig" modifier which
> converts "es" and "se" tokens to signatures from the static key over
> the handshake hash:
>
> XXsig
>   -> e
>   <- e, ee, s, sig
>   -> s, sig
>
> However, there are details to work out (like naming the modifier and
> tokens), so we're probably months away from that.
>
>
> About your sketch - signing the static key makes sense if you want to
> reuse the signature and not sign every handshake (i.e. an "offline"
> signing key).  If you're signing the handshake hash then you don't
> need a Noise static key.  So in your sketch, either:
>  (a) the server's static is unneeded, or
>  (b) the server's signature should be over s, not h
>
> So you should think about which approach you want:  Do you want to
> sign statics and reuse the signatures, or do you want to do online
> signatures, in which case you don't need DH statics?
>
> Trevor


More information about the Noise mailing list