[noise] ECDH Authentication - Signatures vs Authenticated Encryption
Jason A. Donenfeld
Jason at zx2c4.com
Thu Jun 11 03:57:51 PDT 2015
On Thu, Jun 11, 2015 at 3:18 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:
>
> One risk here is that you end up re-using the same key on each
> connection, and in each direction.
If the AE algorithm you're using has any limit on the number of
> different messages you can safely encrypt under the same key
I do use a random 12 byte nonce (chacha20poly1305 construction), but still
- you raise a good point.
So -- what if I mix a public salt of considerable size into the mix during
key derivation?
1. client -> server:
salt = random_bytes(32)
key1 = HKDF(client longterm private key * server longterm public key,
salt)
salt | AUTHENTICATED_ENCRYPTION(client ephemeral public key, key1)
2. server -> client:
salt = random_bytes(32)
key2 = HKDF(server longterm private key * client longterm public key,
salt)
salt | AUTHENTICATED_ENCRYPTION(server ephemeral public key, key2)
Also - is this general approach a *valid* way of avoiding needing Ed25519
signatures?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20150611/d409fe70/attachment.html>
More information about the Noise
mailing list