[noise] DoS *is* a problem
Trevor Perrin
trevp at trevp.net
Wed Nov 18 22:40:12 PST 2015
On Wed, Nov 18, 2015 at 7:20 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Welp, I've implemented some hash token bucket situation, which is a
> decent practical solution.
>
> Thinking about this more, I guess a PSK-based solution could exist
> outside of Noise-proper, and amount to something along the lines of
> MACing with a nonce and keeping track of potential replays. Not very
> pretty I suppose.
I think what I said previously still holds:
https://moderncrypto.org/mail-archive/noise/2015/000416.html
"""
Note that simply replaying the initiator's first message defeats this
"protection". If your threat model doesn't allow attackers to observe
messages for replay, then having the initiator's first message begin
with a secret value in clear gets the same "protection", for cheaper
(no crypto ops for responder at all, just a const-time comparison).
Also, you're probably worrying too much about computational DoS based
on a single ECDH. Modern server-class CPUs can do ~20K variable-base
25519 ops per second per core. If you optimize for the responder's
fixed public key, you can increase that ~3x.
"""
Trevor
More information about the Noise
mailing list