[noise] NoiseSocket - next steps
Rhys Weatherley
rhys.weatherley at gmail.com
Fri Mar 10 13:54:35 PST 2017
On Sat, Mar 11, 2017 at 7:24 AM, Trevor Perrin <trevp at trevp.net> wrote:
> The idea that was bandied about earlier was to use the list of all
> client-offered protocol names as the prologue.
>
> That doesn't bind the message contents for non-chosen client initial
> messages, but I think that's OK, though merits a security
> consideration (server should only inspect protocol names, not
> messages, when choosing which message to respond to).
>
There is a scenario where message contents could be relevant. I give you
NoisePipesNG:
- The initiator includes both IK and XX protocols in its handshake with the
same crypto algorithms.
- IK is listed first as preferred over XX.
- The IK and XX protocols may share the same ephemeral.
- The responder tries to use IK and it fails.
- The responder immediately shifts to XX (a real XX handshake, not
XXfallback) and reports that as its chosen protocol.
Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170311/7e462cd3/attachment.html>
More information about the Noise
mailing list