[noise] Key confirmation
Jason A. Donenfeld
Jason at zx2c4.com
Fri Oct 16 13:18:59 PDT 2015
On Fri, Oct 16, 2015 at 10:05 PM, Michael Hamburg <mike at shiftleft.org>
wrote:
>
>
> There’s one more wrinkle, though. If the handshake is authenticating the
> initiator, then the responder doesn’t know if they’re talking to the right
> initiator. They just know that nobody other than that party can decrypt
> the transport messages. In some cases, that’s fine, but in other cases,
> the length of the transport messages (or their timing, or the willingness
> of the responder to say anything at all) can leak sensitive information.
>
I thought, though, that in the case of Noise_IS, there is authentication in
the first message -- via static-static DH. This has some replay attack
detriments, unless timestamps are used.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151016/97c1aac0/attachment.html>
More information about the Noise
mailing list