[noise] Notes and thoughts from RWC2017
trevp at trevp.net
Mon Jan 16 10:19:39 PST 2017
On Mon, Jan 16, 2017 at 1:09 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Mon, Jan 16, 2017 at 6:53 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> They specify symmetric-key update in the transport phase. If people
>> are going to keep wanting this we might consider saying something
>> about it in the Noise spec.
> Is this the ratcheting/key-rotation we had in earlier specs but
> removed later on?
No, see "Lightning Message Key Rotation":
They basically separate the chaining key (ck) into 2 separate ck, and
do periodic HKDF updates to get a new ck, k. That's a secure design
(assuming HKDF is a PRF), and nicely reuses the HKDF key chain.
It does mean storing two extra ck values during the transport phase.
The Noise spec reserved the high nonce value, with the alternative
idea that we could generate extra secret values from that, if needed
(key updates, resumption PSKs, or a catch-all like TLS exporters).
But we hadn't fleshed that out.
It might be worthwhile putting one of these mechanisms in the core
spec as an "Advanced use", so future adopters don't have to invent
their own thing.
More information about the Noise