[noise] Session identifiers

Rhys Weatherley rhys.weatherley at gmail.com
Mon Apr 18 18:21:32 PDT 2016


SSH has a concept of a "session identifier" which is output from the
transport handshake (RFC 4253) and then used in higher-level session
authentication (RFC 4252) to strongly bind the authentication process to
the session.

Quote from RFC 4252: "When this protocol starts, it receives the session
identifier from the lower-level protocol (this is the exchange hash H from
the first key exchange).  The session identifier uniquely identifies this
session and is suitable for signing in order to prove ownership of a
private key."

The private key here is for some digital signature algorithm at the next
protocol layer up (e.g. ECDSA, Ed25519, ...) to effect a user login.  It is
not the same as the private DH keys that are used to secure the transport
layer.

The text mentions the "exchange hash H", which sounds similar to Noise's
handshake hash "h" value.  The main difference is that SSH's hash value
also includes the shared secret, whereas Noise's "h" is computed over
publicly known values.  A secret session identifier would be preferable so
that an eavesdropper cannot determine the value being signed by the login
key.

Is there some equivalent session identifier for Noise, and/or should we
specify one?  Perhaps a final HKDF(ck, onelen) where "onelen" is a
single-byte string to distinguish it from the "zerolen" value used to
generate encryption keys?  Split() would thus be modified to return (c1,
c2, session_id).

Cheers,

Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160419/ca2c6d0a/attachment.html>


More information about the Noise mailing list