[noise] new branch: psk2
Trevor Perrin
trevp at trevp.net
Mon Nov 16 00:48:10 PST 2015
On Sat, Nov 14, 2015 at 3:48 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Sat, Nov 14, 2015 at 8:16 AM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> This makes it crucial for each party's first message to begin with
>> "e", so I reordered "s, e" -> "e, s" in a couple patterns, and
>> explained this in Section 6.1 "Pattern validity".
>>
>> * A more subtle "invalid" pattern would be one that sent encrypted
>> data without first doing a DH with the sender's ephemeral against any
>> public keys the remote party has sent. Example:
>>
>> -> e, s
>> <- e, dhee, dhss
>
> Are there any _useful_ patterns where these patterns would occur? Or
> is it possible to work around this in pretty much all scenarios?
I can't think of a great reason you'd want to introduce an ephemeral
and not get the benefits of both forward-secrecy (dhee) and
authentication (dhes) from it.
> But, I would suggest in screech (and other implementations too), you
> implement this validation in the handshake constructor,
Yeah, I was thinking of that too.
Trevor
More information about the Noise
mailing list