[noise] selfie attack

[Nadim Kobeissi]

Hello everyone,

I'd like to share something I wrote about the recent Selfie attack on TLS 1.3 and how it reflects on prior formal verification efforts:

https://nadim.micro.blog/2019/04/11/selfies-reflections-on.html

The article essentially explains that it's not particularly surprising that Selfie wasn't caught by formal verification efforts for TLS 1.3, since those were focused on modeling for different classes of attacks which much more damaging implications.

Happy to hear your comments!

Nadim Kobeissi
Symbolic Software • https://symbolic.software

> On 3 Apr 2019, at 5:29 PM, David Wong <davidwong.crypto at gmail.com> wrote:
> 
> 
>>> 
>>> This paper https://eprint.iacr.org/2019/347.pdf points out that (in
>>> Noise terms) NNpsk handshakes and traffic can be reflected back to the
>>> originator if it acts as client and server
>> 
>> That's true, if a node is willing to serve as an initiator or
>> responder based solely on PSK authentication then it is willing to
>> talk to itself, so could end up handling its own reflected messages.
>> 
>> That's obvious in a sense, but might be overlooked by protocol
>> designers / developers.  I think it merits a security consideration
>> that entities should bind some other identity information in this case
>> (via handshake payloads or prologue), not sure we could do much else.
> 
> I think the biggest issue with TLS 1.3 is how this PSK could come from a previous handshake (to do session-resumption). This is where things are not so obvious IMO. Noise doesn’t seem to mention session resumption so I’m not sure if it would make sense to add something about it. That seems like a protocol design concern though.
> 
> David
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise