<div dir="auto">You are missing the fourth line with se on that pattern</div><br><div class="gmail_quote"><div dir="ltr">On Thu, 24 May 2018, 18:51 Nadim Kobeissi, <nadim@symbolic.software> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello everyone,<br>
<br>
I just noticed something:<br>
<br>
X1X1:<br>
-> e<br>
<- e, ee, s<br>
-> es, s<br>
<-<br>
-><br>
<br>
In this pattern, a static key is sent by the initiator (in the third<br>
message) and never used. According to Katriel's suggestion of invalidating<br>
Noise Handshake Patterns that would send unused key shares, this<br>
description of X1X1 would be invalid.<br>
<br>
What should be done? Modify X1X1, or annul Katriel's proposed restriction?<br>
<br>
Nadim Kobeissi<br>
Symbolic Software • <a href="https://symbolic.software" rel="noreferrer noreferrer" target="_blank">https://symbolic.software</a><br>
Sent from office<br>
On Thu, May 24, 2018 at 7:30 PM Nadim Kobeissi <nadim@symbolic.software><br>
wrote:<br>
<br>
> Dear Trevor,<br>
<br>
> Here is the exact text of the grades in question in today's Noise<br>
> specification:<br>
<br>
> Authenticity grade 1: "Sender authentication vulnerable to key-compromise<br>
> impersonation (KCI). The sender authentication is based on a static-static<br>
> DH ("ss") involving both parties' static key pairs. If the recipient's<br>
> long-term private key has been compromised, this authentication can be<br>
> forged. Note that a future version of Noise might include signatures,<br>
which<br>
> could improve this security property, but brings other trade-offs."<br>
<br>
> Authenticity grade 2: "Sender authentication resistant to key-compromise<br>
> impersonation (KCI). The sender authentication is based on an<br>
> ephemeral-static DH ("es" or "se") between the sender's static key pair<br>
and<br>
> the recipient's ephemeral key pair. Assuming the corresponding private<br>
keys<br>
> are secure, this authentication cannot be forged."<br>
<br>
> The issue lies in that the above two paragraphs do not specify whether<br>
> there is an opening for a malicious principal to mess with things. Observe<br>
> message C in the following two results:<br>
<br>
> <a href="https://noiseexplorer.com/patterns/KN.noise.html" rel="noreferrer noreferrer" target="_blank">https://noiseexplorer.com/patterns/KN.noise.html</a><br>
> <a href="https://noiseexplorer.com/patterns/IK.noise.html" rel="noreferrer noreferrer" target="_blank">https://noiseexplorer.com/patterns/IK.noise.html</a><br>
<br>
> In IK, message C is resistant to key compromise impersonation even if its<br>
> sender (the initiator) negotiates a separate session in parallel with a<br>
> compromised principal Charlie, who is controlled by the attacker<br>
> unbeknownst to the sender.<br>
<br>
> In KN, message C is also resistant to key compromise impersonation, but<br>
> unlike message C in IK, this property does not hold if Charlie also enters<br>
> the fray in a similar manner.<br>
<br>
> In the current Noise specification, both KN and IK are given the similar<br>
> grade for authenticity. That is the problem and the reason for the<br>
expanded<br>
> authenticity grading system. In Noise Explorer's system, grades 3 and 4<br>
> essentially are short hand for "1 and 2 but with maintained key compromise<br>
> impersonation resistance even when negotiating with a compromised<br>
> principal."<br>
<br>
> Now, I understand your suggestion with regards to pairing these grades<br>
with<br>
> corresponding confidentiality queries, but this raises two questions in my<br>
> mind:<br>
<br>
> 1. The confidentiality queries in question are written and formalized to<br>
> deal with message secrecy and forward secrecy two properties that do not<br>
at<br>
> all touch upon authenticity. Shouldn't we strive to therefore working on<br>
> separating these properties formally?<br>
<br>
> 2. There is also the question of reduced precision. Instead of having<br>
> authenticity grades "1, 3-5" and grade "2, 3-5", why not settle for a<br>
> system where we obtain precise grades for authenticity, independently from<br>
> having to look at a confidentiality/message secrecy/forward secrecy<br>
result?<br>
<br>
> Nadim Kobeissi<br>
> Symbolic Software • <a href="https://symbolic.software" rel="noreferrer noreferrer" target="_blank">https://symbolic.software</a><br>
> Sent from office<br>
> On Thu, May 24, 2018 at 6:10 PM Trevor Perrin <<a href="mailto:trevp@trevp.net" target="_blank" rel="noreferrer">trevp@trevp.net</a>> wrote:<br>
<br>
> > On Thu, May 24, 2018 at 12:05 PM, Nadim Kobeissi<br>
> > <nadim@symbolic.software> wrote:<br>
> > > Hello everyone,<br>
> > > I've been following up on all of these discussions very closely, but<br>
> have<br>
> > > not said anything because I've been working furiously on getting all<br>
the<br>
> > > formal results for all 22 deferred patterns *with* two "tokenless"<br>
> messages<br>
> > > out. I'm afraid that with the addition of two "tokenless" messages to<br>
> every<br>
> > > single model, the cost of verification increases dramatically. Things<br>
> are<br>
> > > still going to take quite a long time -- I wish we weren't nearing<br>
> June, at<br>
> > > least I'd have a use for the free radiators I now have in my apartment<br>
> due<br>
> > > to this -- quite a lot of finely tuned dedicated hardware is now<br>
dealing<br>
> > > with the formal verification load.<br>
> > ><br>
> > > An important clarification: Trevor says the following:<br>
> > >> Thinking more on rev34, it would probably be irresponsible to publish<br>
> > >> *without* security tables for all the deferred patterns... So I'd<br>
> > >> love to work out how to get your output processed into some tables<br>
> > >> like the current ones (or possibly changed around a bit, depending on<br>
> > >> that discussion). Or really: for you to work that out, so I could<br>
> > >> just copy-and-paste :-)....<br>
> > ><br>
> > > Trevor, the security tables for 20 of the deferred patterns are<br>
already<br>
> > > available on Noise Explorer's website. They simply do not include the<br>
> > > "tokenless" messages. Just a note in the event that you missed that.<br>
:-)<br>
> > ><br>
> > > Regarding the discussions on security properties, I'm personally<br>
> currently<br>
> > > satisfied with the recognition that any deferred pattern that opens<br>
up a<br>
> > > potential UKS attack will simply never qualify towards authenticity<br>
> grades<br>
> > > 3 and 4 (as defined by Noise Explorer) and will always be restricted<br>
to<br>
> a<br>
> > > maximum of 1 or 2 (as defined by Noise Explorer, see my previous email<br>
> > > where I list a "very quick summary" of the additions to the<br>
authenticity<br>
> > > properties.)<br>
<br>
> > Hmm, the way I think about it, no patterns should ever open up a<br>
> > potential UKS attack? Also, the deferred patterns should end up with<br>
> > the same properties as their corresponding fundamental pattern, since<br>
> > they perform the same operations.<br>
<br>
> > Looking more closely at your numeric grades, I think your two new<br>
> > authentication grade numbers just correspond to the Noise<br>
> > authentication grades 0-2, except you use 2 new numbers based on the<br>
> > confidentiality grade it's being paired with:<br>
<br>
> > ("NE" for Noise Explorer):<br>
<br>
> > NE 0 -> spec(0, 0-2)<br>
> > NE 1 -> spec(1, 0-2)<br>
> > NE 2 -> spec(2, 0-2)<br>
> > NE 3 -> spec(1, 3-5)<br>
> > NE 4 -> spec(2, 3-5)<br>
<br>
> > In other words, I don't think these new NE grades encode new<br>
> > information. So I'm not yet convinced they improve things versus the<br>
> > Noise spec's system, seems like we could map your 3->1, and your 4->2,<br>
> > and bring things into alignment?<br>
<br>
> > Trevor<br>
_______________________________________________<br>
Noise mailing list<br>
<a href="mailto:Noise@moderncrypto.org" target="_blank" rel="noreferrer">Noise@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/noise" rel="noreferrer noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/noise</a><br>
</blockquote></div>