[noise] Session identifiers

Rhys Weatherley rhys.weatherley at gmail.com
Mon Apr 18 21:37:28 PDT 2016


On Tue, Apr 19, 2016 at 1:46 PM, Trevor Perrin <trevp at trevp.net> wrote:

> So I believe the important property is uniqueness, not secrecy.  The
> higher-level signatures that are calculated over the channel binding
> are sent inside the SSH transport encryption, so secrecy is already
> provided.


The signature is secret.  What is being signed (the session identifier) is
not.  Paranoia again.  Knowing what is signed, combined with timing
information, might pry open the signing key.

It's not a big deal though - "h" can be combined with a secret nonce value
to produce a value to be signed instead.  The signature scheme should
probably be using nonce anyway.

I'm good with "h" being the Noise version of session identifiers for now
until such time that some academic crypto nerd objects with an interesting
paper as how to abuse the public session identifier to wriggle into a
user's session.

Like Alex, I'll add a function / extra result from Split().

Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160419/000ca1dc/attachment.html>


More information about the Noise mailing list