[noise] Another spec issue: remote ephemeral keys
Rhys Weatherley
rhys.weatherley at gmail.com
Fri Apr 15 16:10:19 PDT 2016
In section 5.3 under the description of ReadMessage():
For "e": Sets re to the next DHLEN bytes from the
message. Calls MixHash(re.public_key).
That should probably read as:
For "e": Sets re to the next DHLEN bytes from the
message. If "e" is the null public key value, then
abort the handshake with an error. Otherwise call
MixHash(re.public_key).
While implementing ReadMessage() today, I realised that a hostile party
could downgrade the security of the handshake to "none at all" by
specifying a null ephemeral key in their first packet. That will cause all
future encryption key values to become predictable to an eavesdropper.
It may also be worth being more explicit as to exactly what circumstances a
null static key can be used in accordance with "9.1. Dummy static public
keys". Can every handshake pattern involving static keys use them, or only
a certain subset under certain strictly defined conditions with everything
else rejected?
Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160416/01c5819d/attachment.html>
More information about the Noise
mailing list