<div dir="ltr">Hi guys,
<div><br></div><div>I'm working on a kernel space VPN using some noise-like ideas. I'd like to keep the number of back-and-forths in the protocol to an absolute minimum. I want perfect forward secrecy, but I value fewer-round trips over identity hiding. So I just use simple ECDH for that:</div><div><br></div><div>1. client -> server:</div><div> client ephemeral public key</div><div>2. server -> client:</div><div> server ephemeral public key</div><div>3. client -> server:</div><div> vpn data encrypted with symmetric authenticated encryption using as its key HKDF(client ephemeral private key * server ephemeral public key)</div><div>4. server -> client:</div><div> vpn data encrypted with symmetric authenticated encryption using as its key HKDF(server ephemeral private key * client ephemeral public key)</div><div><br></div><div>So far so good?</div><div><br></div><div>I'd obviously like steps 1 and 2 to be properly authenticated with the long term keys of the client and server. The most obvious way to do that is with a signature algorithm:</div><div><br></div><div><div>1. client -> server:</div><div> client ephemeral public key | SIGNATURE(client ephemeral public key, client longterm private key)</div><div>2. server -> client:</div><div> server ephemeral public key | SIGNATURE(server ephemeral public key, server longterm private key)</div></div><div><br></div><div>This seems to work, but in practice it makes my codebase a bit more cumbersome, as in addition to the simple curve25519 function for ECDH, I now have to bring in the family of ed25519 functions. I see that noise avoids signatures by using authentication encryption with ECDH derived shared secrets. What I'm wondering is - would the below work correctly (securely), as steps 1 and 2:</div><div><div><br class="">1. client -> server:</div><div> key1 = key2 = HKDF(client longterm private key * server longterm public key)</div><div> AUTHENTICATED_ENCRYPTION(client ephemeral public key, key1)</div><div>2. server -> client:</div><div> key2 = key1 = HKDF(server longterm private key * client longterm public key)</div><div> AUTHENTICATED_ENCRYPTION(server ephemeral public key, key2)</div></div><div><br></div><div>Is this valid? Is there something else I need to keep in mind here?</div><div><br></div><div>Thanks,</div><div>Jason</div></div>