[messaging] Key exchange and DuplexWrap-like protocols
Mike Hamburg
mike at shiftleft.org
Tue Feb 10 22:33:00 PST 2015
On 02/10/2015 07:33 PM, Ben Harris wrote:
>
> > This has the same security properties as Noise, but only uses ECC
> and Keccak.
> Keccak-f just to avoid any confusion (i.e. the permutation only, it
> uses different api and domain properties to Keccak).
>
Ah right, good catch.
>
> forget() is weaker than Axolotl, as forget is just erasing state bits
> to prevent inverting the permutation (breaking a previous message).
> Axolotl creates new ephemerals to prevent breaking future messages too.
>
Yes, which is why I wrote:
> [Mike] Once the connections are set up, you can ratchet them at will, either in a simple way (using forget()) or by incorporating new DH ephemerals as in Axlotl.
I was thinking that you could exchange ephemerals, then header(g^xy) and
forget() in some order.
>
> Using Keyak as the AEAD cipher for bodies is great. But using it for
> everything might present some issues with lost messages (can't skip a
> message without having the body) and the concurrency stuff you mention.
>
Hm, yes. It would only really work for protocols which run over TCP or
similar.
>
> It would be interesting to look at an Axolotl-sponge that modifies
> Axolotl to suit a sponge construction like Keyak. One example is
> simplifying header encryption into two sequential calls to DuplexWrap
> instead of two decryptions with separate keys.
>
Yeah, the simpler header encryption was really what I was after.
Cheers,
-- Mike
More information about the Messaging
mailing list