[noise] Why encrypted keys are authenticated?

[Tony Arcieri]

On Mon, May 13, 2019 at 2:41 PM Loup Vaillant David <loup at loup-vaillant.fr>
wrote:

> I'm not talking about encryption. I'm talking about *authentication*.
> Besides, I believe the keys are encrypted only once.
>
> The ENCRYPT() function does both encryption and authentication, and its
> authentication tag is integrated to the message. I was wondering if we
> could reasonably omit that authentication tag without losing any
> security. I believe we can, but I wanted to make sure I didn't miss
> anything.


If I understand the point you're attempting to make, you want to shoehorn
in unauthenticated encryption as a micro-optimization to save the size of
one MAC in the key exchange.

Personally I think it's more parsimonious and less risky to always use
authenticated encryption. Even if there were no protocol-level security
risks involved in this change, the implementation risk is use of
unauthenticated encryption at an implementation level as a mistake, where
authenticated encryption is required.

An open question though: can an attacker inject low-order points in the
authenticated protocol and use them to perform a MitM attack? This seems to
be something of a classical problem.

I think the onus is on you to demonstrate:

1) This microoptimization actually provides a meaningful benefit which
outweighs the potential risks of bad implementations owing to a more
complicated design that attempts to leverage both authenticated and
unauthenticated encryption
2) This change does not introduce security vulnerabilities owing to an
attacker who is able to inject low order points and therefore have a D-H
output be zero

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20190513/ff3934a8/attachment.html>