[noise] MAC'ing recipient public key
Stephen Touset
stephen at squareup.com
Tue Jul 29 15:07:17 PDT 2014
On Jul 13, 2014, at 10:08 PM, Trevor Perrin <trevp at trevp.net> wrote:
> Another change:
>
> The recipient pubkey is included in the additional authenticated data
> for both box MACs. This ensures that if the sender can decrypt a box,
> it must have been encrypted to the sender's pubkey. While this can
> also be accomplished by taking care with the ECDH, I think it's
> simpler to just include the recipient's key into the mac.
Perhaps I’m overlooking something, but this seems impossible to reconcile with pipes.
When a server first sees a client, the only thing they receive is the client’s ephemeral key. They have no forehand knowledge of the client’s long-term public key, and thus cannot properly compute the MAC.
--
Stephen Touset
stephen at squareup.com
More information about the Noise
mailing list