[noise] ECDH Authentication - Signatures vs Authenticated Encryption

Michael Hamburg mike at shiftleft.org
Thu Jun 11 06:35:25 PDT 2015


What about using a construction which is already proved secure, such as tripleDH or (patented) FHMQV?

TripleDH: client->server, server->client ephemeral keys.
key = HKDF(client eph * server longterm, client eph * server eph, server eph * client longterm)

— Mike

> On Jun 11, 2015, at 6:57 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> 
> 
> 
> On Thu, Jun 11, 2015 at 3:18 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net <mailto:dkg at fifthhorseman.net>> wrote:
> One risk here is that you end up re-using the same key on each
> connection, and in each direction.
> If the AE algorithm you're using has any limit on the number of
> different messages you can safely encrypt under the same key
> 
> I do use a random 12 byte nonce (chacha20poly1305 construction), but still - you raise a good point.
> So -- what if I mix a public salt of considerable size into the mix during key derivation?
> 
> 1. client -> server:
>    salt = random_bytes(32)
>    key1 = HKDF(client longterm private key * server longterm public key, salt)
>    salt | AUTHENTICATED_ENCRYPTION(client ephemeral public key, key1)
> 2. server -> client:
>    salt = random_bytes(32)
>    key2 = HKDF(server longterm private key * client longterm public key, salt)
>    salt | AUTHENTICATED_ENCRYPTION(server ephemeral public key, key2)
> 
> 
> Also - is this general approach a *valid* way of avoiding needing Ed25519 signatures?
> 
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20150611/4b045179/attachment.html>


More information about the Noise mailing list