[noise] Pre-shared Secret - preventing DoS, and ensuring post-quantum PFS
Alex
alex at centromere.net
Wed Nov 11 15:27:33 PST 2015
On Wed, 11 Nov 2015 23:26:09 +0100
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
> There's also my second concern:
>
> > > 2. If a pre-shared secret is provided, the first unencrypted
> > > public key written receives a MAC (using hmac or keyed-blake2)
> > > using the pre-shared secret. This provides DoS defense, so that
> > > an attacker can not force a server to compute any DH operations,
> > > unless he has the pre-shared secret. Without this mitigation,
> > > Noise is very very DoS-able.
>
> DH is expensive; the denial-of-service situation is real. It would be
> nice to have a cryptographic solution for this (i.e. not token
> buckets).
>
> A weaker form than what I've proposed here with the pre-shared key is
> to simply use the recipients public key as a key for a MAC over the
> whole message. That way, at the very least, it's not DoS-able by
> random third parties, but rather people who already know who they're
> talking to.
>
> What do you think of this?
>
Would it be possible to prevent DoS attacks by using some pre-shared
secret in the write/readMessage payload of the first message that Alice
delivers to Bob?
--
Alex
More information about the Noise
mailing list