[messaging] Key exchange and DuplexWrap-like protocols
mike at shiftleft.org
Tue Feb 10 22:33:00 PST 2015
On 02/10/2015 07:33 PM, Ben Harris wrote:
> > This has the same security properties as Noise, but only uses ECC
> and Keccak.
> Keccak-f just to avoid any confusion (i.e. the permutation only, it
> uses different api and domain properties to Keccak).
Ah right, good catch.
> forget() is weaker than Axolotl, as forget is just erasing state bits
> to prevent inverting the permutation (breaking a previous message).
> Axolotl creates new ephemerals to prevent breaking future messages too.
Yes, which is why I wrote:
> [Mike] Once the connections are set up, you can ratchet them at will, either in a simple way (using forget()) or by incorporating new DH ephemerals as in Axlotl.
I was thinking that you could exchange ephemerals, then header(g^xy) and
forget() in some order.
> Using Keyak as the AEAD cipher for bodies is great. But using it for
> everything might present some issues with lost messages (can't skip a
> message without having the body) and the concurrency stuff you mention.
Hm, yes. It would only really work for protocols which run over TCP or
> It would be interesting to look at an Axolotl-sponge that modifies
> Axolotl to suit a sponge construction like Keyak. One example is
> simplifying header encryption into two sequential calls to DuplexWrap
> instead of two decryptions with separate keys.
Yeah, the simpler header encryption was really what I was after.
More information about the Messaging