[noise] Session identifiers

Trevor Perrin trevp at trevp.net
Mon Apr 18 21:12:55 PDT 2016


On Mon, Apr 18, 2016 at 9:03 PM, Alex <alex at centromere.net> wrote:
>
> Would you consider the `h` value from the SymmetricState to be useful
> to end-users of a Noise library? Would it be valid/safe to for them to
> use it as a session identifier which can be signed for authentication
> in at a higher level?

Yeah, I think that's a valid use, and touched on in the spec, though not well:


"Channel binding" security consideration:
...
If a higher-level protocol wants a unique "channel binding" value for
referring to a Noise session it should use the value of h after the
final handshake message, not ck.


> Or do you think that authentication at a higher level is redundant
> because Noise already provides such a facility in many of the
> handshakes?

I think it's a reasonable design, sometimes, for auth to be a separate
and higher layer than encryption, using channel bindings.

Maybe you need to support smartcard auth with RSA signing or something
that doesn't fit into Noise, or do password-based auth, or auth
triggered by the user's request to access a particular resource that
occurs after the handshake, or you want a design like TCPcrypt, where
encryption is opportunistically negotiated by the network stack (E.g.
Noise_NN), and applications can add their own auth...

Trevor


More information about the Noise mailing list