[noise] Why encrypted keys are authenticated?

Trevor Perrin trevp at trevp.net
Mon May 13 16:48:15 PDT 2019


On Mon, May 13, 2019 at 3:49 AM Loup Vaillant David
<loup at loup-vaillant.fr> wrote:
>
> Hi,
>
> Noise has an apparent redundancy that bothers me a little: encrypted
> public keys in handshake messages are authenticated *twice*: once with
> the key that encrypts them, and once again with the key that encrypts
> (and authenticates) the payload message.

Hi Loup,

We discussed this briefly before:

https://moderncrypto.org/mail-archive/noise/2018/001864.html

In general if you want to encrypt something with a symmetric key you
want authenticated encryption.

Omitting the "authenticated" part can open up attacks against
confidentiality, e.g. a network attacker can XOR something into a
legitimate ciphertext causing the receiver to operate on a tampered
plaintext in a way that reveals something about the plaintext (either
via an error behavior or timing).

Trevor


More information about the Noise mailing list