[noise] ECDH Authentication - Signatures vs Authenticated Encryption
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jun 10 18:18:33 PDT 2015
On Wed 2015-06-10 09:49:59 -0400, Jason A. Donenfeld wrote:
> 1. client -> server:
> key1 = key2 = HKDF(client longterm private key * server longterm public
> key)
> AUTHENTICATED_ENCRYPTION(client ephemeral public key, key1)
> 2. server -> client:
> key2 = key1 = HKDF(server longterm private key * client longterm public
> key)
> AUTHENTICATED_ENCRYPTION(server ephemeral public key, key2)
One risk here is that you end up re-using the same key on each
connection, and in each direction.
That is, a network observer will know that the initial message in each
flow (both client->server and server->client, as well as any future
flows) will use the same exact key.
If the AE algorithm you're using has any limit on the number of
different messages you can safely encrypt under the same key, or if an
adversary's cryptanalysis uncovers a mechanism that allows (partial?)
key recovery based on a series of messages encrypted to the same key, it
gives them a better-than-expected chance of being able to impersonate
either peer to each other.
--dkg
More information about the Noise
mailing list