[noise] NoiseSocket - next steps

Rhys Weatherley rhys.weatherley at gmail.com
Fri Mar 10 13:54:35 PST 2017

On Sat, Mar 11, 2017 at 7:24 AM, Trevor Perrin <trevp at trevp.net> wrote:

> The idea that was bandied about earlier was to use the list of all
> client-offered protocol names as the prologue.
> That doesn't bind the message contents for non-chosen client initial
> messages, but I think that's OK, though merits a security
> consideration (server should only inspect protocol names, not
> messages, when choosing which message to respond to).

There is a scenario where message contents could be relevant.  I give you

- The initiator includes both IK and XX protocols in its handshake with the
same crypto algorithms.
- IK is listed first as preferred over XX.
- The IK and XX protocols may share the same ephemeral.
- The responder tries to use IK and it fails.
- The responder immediately shifts to XX (a real XX handshake, not
XXfallback) and reports that as its chosen protocol.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170311/7e462cd3/attachment.html>

More information about the Noise mailing list