[noise] Key confirmation

Michael Hamburg mike at shiftleft.org
Fri Oct 16 16:38:38 PDT 2015


> On Oct 16, 2015, at 1:18 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> 
> 
> 
> On Fri, Oct 16, 2015 at 10:05 PM, Michael Hamburg <mike at shiftleft.org <mailto:mike at shiftleft.org>> wrote:
> 
> There’s one more wrinkle, though.  If the handshake is authenticating the initiator, then the responder doesn’t know if they’re talking to the right initiator.  They just know that nobody other than that party can decrypt the transport messages.  In some cases, that’s fine, but in other cases, the length of the transport messages (or their timing, or the willingness of the responder to say anything at all) can leak sensitive information.
> 
> I thought, though, that in the case of Noise_IS, there is authentication in the first message -- via static-static DH. This has some replay attack detriments, unless timestamps are used.

Oh, right.  So it’s not quite as serious as I thought for Noise_IS.  — Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151016/83f1cd69/attachment.html>


More information about the Noise mailing list