[noise] ECDH Authentication - Signatures vs Authenticated Encryption

Michael Hamburg mike at shiftleft.org
Sat Jun 13 10:29:43 PDT 2015


If the parties know each others’ long-term public keys, though, that third message is redundant, right?  But I guess you can’t use triple-DH in this case.  You’d need either a signature or a static-static DH to authenticate the client if you want to do so in the first flow.

— Mike

> On Jun 13, 2015, at 1:49 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> 
> Hi Trevor, Mike,
> 
> Thanks for your feedback. One thing that's not so appealing about a HandshakeXS is that it requires the server to respond (and store data) without authenticating the client at all first. This is a problem for me implementation wise, as in fact this code is running in the kernel (!!), and I'd like it to be both totally silent unless there's a valid client, and I'd like it to totally avoid allocations, unless there's a valid client.
> 
> I guess, though, this could be solved just by appending signatures to each message? That mostly looses the identity hiding aspect, but I guess that's okay.
> 
> But along that line, couldn't the "key-compromise impersonation" attack be warded off just by adding signatures to my original two step exchange?
> 
> (By the way, anyone have a good implementation of Trevor's Curve25519-Signatures spec?)
> 
> Jason
> 
> On Friday, June 12, 2015, Trevor Perrin <trevp at trevp.net <mailto:trevp at trevp.net>> wrote:
> On Wed, Jun 10, 2015 at 6:49 AM, Jason A. Donenfeld <Jason at zx2c4.com <>> wrote:
> >
> > 1. client -> server:
> >    key1 = key2 = HKDF(client longterm private key * server longterm public
> > key)
> >    AUTHENTICATED_ENCRYPTION(client ephemeral public key, key1)
> > 2. server -> client:
> >    key2 = key1 = HKDF(server longterm private key * client longterm public
> > key)
> >    AUTHENTICATED_ENCRYPTION(server ephemeral public key, key2)
> 
> 
> You're assuming both parties knows the other's long-term public key.
> So I'll stick with that.
> 
> Noise would chain the DH calculations together, so all later keys
> depend on earlier DHs.  Assuming you changed to do that, you'd be
> proposing something like below, in the terminology of [1]:
> 
>   -> dhss, e         # client does static-static DH, encrypts an ephemeral
>   <- dhse, e, dhee   # server does static-ephemeral DH, encrypts an ephemeral
> 
> 
> Relying on the static-static ephemeral for client authentication means
> a "Key-compromise impersonation" weakness: if the client's long-term
> key is compromised, the attacker can impersonate anyone else *to* the
> client.
> 
> It seems like you don't exchange any application data until the first
> round-trip is complete.  So the "HandshakeXS" pattern from [1] might
> be suitable:
> 
> HandshakeXS:
>   -> e, dhes
>   <- e, dhee
>   -> s, dhse
> 
> Which incrementally constructs a "TripleDH", as Mike points out.
> 
> This transmits the client's long-term public key in the third message
> (which can also contain appplication data).  You could optimize
> slightly by omitting the transmission of "s" (the client's long-term
> public key), since you're assuming that's already known to the server:
> 
>   -> e, dhes
>   <- e, dhee
>   -> dhse
> 
> Is that about what you want?
> 
> 
> Trevor
> 
> 
> [1]
> https://moderncrypto.org/mail-archive/noise/2015/000112.html <https://moderncrypto.org/mail-archive/noise/2015/000112.html>
> https://moderncrypto.org/mail-archive/noise/2015/000119.html <https://moderncrypto.org/mail-archive/noise/2015/000119.html>
> 
> 
> -- 
> Jason A. Donenfeld
> Deep Space Explorer
> fr: +33 6 51 90 82 66
> us: +1 513 476 1200
> www.jasondonenfeld.com <http://www.jasondonenfeld.com/>
> www.zx2c4.com <http://www.zx2c4.com/>
> zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc <http://zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc>
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org <mailto:Noise at moderncrypto.org>
> https://moderncrypto.org/mailman/listinfo/noise <https://moderncrypto.org/mailman/listinfo/noise>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20150613/01a0c3f4/attachment.html>


More information about the Noise mailing list