[noise] Key confirmation

Trevor Perrin trevp at trevp.net
Fri Oct 16 16:05:06 PDT 2015


On Fri, Oct 16, 2015 at 1:18 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
>
> On Fri, Oct 16, 2015 at 10:05 PM, Michael Hamburg <mike at shiftleft.org>
> wrote:
>>
>>
>> There’s one more wrinkle, though.  If the handshake is authenticating the
>> initiator, then the responder doesn’t know if they’re talking to the right
>> initiator.  They just know that nobody other than that party can decrypt the
>> transport messages.  In some cases, that’s fine, but in other cases, the
>> length of the transport messages (or their timing, or the willingness of the
>> responder to say anything at all) can leak sensitive information.
>
>
> I thought, though, that in the case of Noise_IS, there is authentication in
> the first message -- via static-static DH.

Sure, but there's stronger authentication in Noise_IS after the 2nd
handshake message, since it's based on a fresh ephemeral from the
server, instead of the server's long-term static.

Anyways, I said that until you receive the final handshake message or
a transport message, you shouldn't assume that you've fully
authenticated the other party, but it's cryptographically OK to send
transport messages (they can only be decrypted by the correct party).

Mike points out that it's possible you'd want to refrain from sending
until the other party has proven that it's fully authenticated, for
non-cryptographic reasons (you might not want to reveal message sizes
or timings).  So that's something to consider.

Trevor


More information about the Noise mailing list