[noise] New branch: hkdf
Trevor Perrin
trevp at trevp.net
Mon Oct 12 21:16:50 PDT 2015
On Mon, Oct 12, 2015 at 2:29 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Sat, Oct 10, 2015 at 9:21 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> Based on all this, I favor the HKDF design at the moment. I'll
>> probably merge it to master in a few days if there aren't any
>> compelling counter-arguments.
>
> In its current manifestation, `ck` is part of the
> SymmetricHandshakeState object. Since this object is discarded after a
> handshake, one can't derive new keys from previous ones. IOW,
> ratcheting isn't possible. To add back this possibility, you'd need to
> move `ck` to the CipherState object, and change Split() in such a way
> that `ck` inside of CipherState would be properly updated too.
Yeah, but the current Noise doesn't have ratcheting at all, so a later
extension could easily track extra state - e.g. something like Axolotl
blurs the handshake vs transport-layer distinction, since DH keys are
exchanged along with messages, but I'm not trying to accomodate that
in Noise at this point.
Trevor
More information about the Noise
mailing list