[noise] Pre-shared Secret - preventing DoS, and ensuring post-quantum PFS
Trevor Perrin
trevp at trevp.net
Wed Nov 11 14:40:12 PST 2015
On Wed, Nov 11, 2015 at 2:26 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Wed, Nov 11, 2015 at 10:16 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> * A Noise handshake specifies a fixed sequence of MixKey / MixHash
>> steps, so we can't add an optional MixKey to a handshake. This would
>> require either specifying "preshared_key" versions of the handshakes,
>> or always performing an extra MixKey().
>
> Why would optional be bad? The idea would be - if both parties a) know
> to use a pre-shared key and b) use the same pre-shared key, their
> handshakes will be successful. Otherwise, they're not legitimate.
Because if you use the same keys for preshared-key and
non-preshared-key handshakes, the role of the different MixKey steps
would be ambiguous.
>> * h is intended to bind *all* previous data, but also to be
>> non-secret, so we'd need to MixHash() some value derived from the
>> pre-shared key.
>
> I had feared this. So in that case what about: "If a pre-shared key is
> provided, in Initialize, call MixKey(psk) followed by MixHash(psk)."
> Off-hand, I can't imagine any reason why this would leak anything
> important.
That's not making this simpler, and also I'd prefer to MixHash an
independent value, not the psk directly.
>> So instead of a pre-shared symmetric key, the parties could use
>> pre-shared ephemeral public keys, and you could augment any handshake
>> to a "pse" version like this:
>>
>> Noise_IK_pse(s, rs):
>> -> e
>> <- s, e
>> ------
>> -> dhee, e, dhes, s, dhss
>> <- e, dhee, dhes
>
> In this version, is the pre-shared ephemeral "e" a different "e" (say,
> e prime) than what's later exchanged?
Yes.
> In other words, do you mean
> this:
>
> -> e'
> <- s, e'
> ------
> -> dhee, e, dhes, s, dhss
> <- e, dhee, dhes
I meant it as written - the spec says every occurrence of "e"
generates a new ephemeral.
> But this has a major problem. From the spec:
>
> "Calls MixHash() once for each public key listed in the pre-messages
> from new_handshake_pattern, passing in that public key as input"
>
> Since only MixHash() is called on each pre-shared ephemeral, the
> pre-shared ephemerals do NOT become part of the symmetric encryption
> key.
They contribute to the key through the initial "dhee".
> The symmetric encryption key, then, is still derived from only
> diffie-hellman results, the public keys for which are shared through
> the wire.
No, the pre-message public keys are not "shared through the wire".
> This means PFS is broken if the DH function is broken
> (post-quantum, better rho, other DH weaknesses...), which is the
> precise threat model I wanted to protect against. If all our traffic
> is logged, I don't want it to be decryptable in the future.
If you're keeping the ephemeral DH public keys secret, there's nothing
to break, and this is the same as a pre-shared symmetric key.
>> > 2. If a pre-shared secret is provided, the first unencrypted public key written receives a MAC (using hmac or keyed-blake2) using the pre-shared secret.
Also with what I suggested.
Trevor
More information about the Noise
mailing list