[noise] Replace calls to kernel.MixHash with kernel.MixKey

Jason A. Donenfeld Jason at zx2c4.com
Mon Aug 31 03:17:15 PDT 2015


On Thursday, August 27, 2015, Trevor Perrin <trevp at trevp.net> wrote:
>
>
> Currently handshake messages and transport messages are distinct due
> to aad=h, if you lose that difference you'd have to convince yourself
> there's no case where handshake and transport messages could get
> confused for each other.
>
> You could probably do that, or maybe add a minor tweak to
> differentiate them, so it's probably secure or close to it.
>

I have a 1 byte prologue that contains a message type, so there's no chance
of things getting accidentally "confused". But that doesn't rule out a
malicious party cutting and pasting chunks together.

This is why in the previous noise spec, I liked how all previous bytes of
the message were added to AAD at each step. This seemed like an elegant
solution to this.

In either case though, I don't really see how this attack would be
feasible. Let's say a MITM modifies a handshake message and changes my one
byte prologue from "type=handshake" to "type=transport". Or, let's say a
MITM modifies a transport message and changes my one byte prologue from
"type=transport" to "type=handshake". So what? Since transport messages use
different (derived) keys than handshake messages, wouldn't the mismatched
messages be rejected immediately? What's the vulnerability here precisely?


-- 
Jason A. Donenfeld
Deep Space Explorer
fr: +33 6 51 90 82 66
us: +1 513 476 1200
www.jasondonenfeld.com
www.zx2c4.com
zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20150831/e4b25434/attachment.html>


More information about the Noise mailing list