[noise] ECDH Authentication - Signatures vs Authenticated Encryption
Jason A. Donenfeld
Jason at zx2c4.com
Sat Jul 4 19:30:20 PDT 2015
Hi folks,
Sorry for all the noise (hah), but I've just finished a week of
binging on crypto papers, and I have a better idea of what I'm looking
for. Please -- if my novice inquiries are getting tiresome, do feel
completely free to send me an email onlist or offlist saying, "hey,
out of your league, keep it down", and I'll stop writing so much.
A client knows the server's IP address, port, and public key.
A server has a list of public keys it will accept, but doesn't know
from where each will be connecting.
Assuming a UDP-based connection-less setup.
I believe this setup here is a candidate for HandshakeXK:
HandshakeXK:
<- s
******
-> e, dhes
<- e, dhee
-> s, dhse
There is a major problem with this, however, that I alluded to before.
I have two additional requirements:
1. Silence: a server or a client simply will not respond to any
invalid or unauthenticated packets. It will only give indication that
anything exists behind a particular UDP port upon reception of a
properly authenticated message.
2. Anti denial of service: the amount of state stored on a server (or
client, for that matter) must be linearly proportional to the number
of public keys it will accept. Further, no state must be modified, and
no allocations must be made, unless in response to a packet that is
properly authenticated.
I'd like to avoid using signatures, to keep things simple, but if I
must use a signature in the end, then I must. What's the proper way to
address these two requirements within noise? Plus, there's an issue of
replay, when doing authentication before the handshake has completed,
though perhaps timestamping (YUCK!) could be used here...
Well, I'm a bit stumped. And I couldn't find anything in the
literature to help me out. Any ideas are more than welcome.
Thanks,
Jason
More information about the Noise
mailing list