[noise] Pre-shared Secret - preventing DoS, and ensuring post-quantum PFS

Jason A. Donenfeld Jason at zx2c4.com
Wed Nov 11 03:22:08 PST 2015


Hi Trevor,

Hopefully it's not too late to discuss this...

It occurred to me that Noise could benefit from having a pre-shared secret
option, which could be in use by multiple peers at once. It would provide
two nice properties:

1. If a pre-shared secret is provided, MixKey(pre-shared secret) is called
during handshake initialization.

Since internet traffic is being collected passively and stored
indefinitely, this ensures that if in the future the DH functions are
broken, the data is still secured, so long as the pre-shared secret didn't
leak from somebody.

2. If a pre-shared secret is provided, the first unencrypted public key
written receives a MAC (using hmac or keyed-blake2) using the pre-shared
secret.

This provides DoS defense, so that an attacker can not force a server to
compute any DH operations, unless he has the pre-shared secret. Without
this mitigation, Noise is very very DoS-able.

What do you think?

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151111/3ea80d37/attachment.html>


More information about the Noise mailing list