[noise] Channel-bound keys

Alexey Ermishkin scratch.net at gmail.com
Thu Mar 16 02:09:45 PDT 2017


Looks good to me. But I have a more general PSK question
I understand how pre-shared keys work, but how much security do they add? How much Is 0-RTT IK safer with PSK than pure IK? Would be nice to have a comparison table to decide whether to spend time on implementing something like session cookies


-----Original Message-----
From: Noise [mailto:noise-bounces at moderncrypto.org] On Behalf Of Trevor Perrin
Sent: Wednesday, March 15, 2017 3:24 AM
To: noise <noise at moderncrypto.org>
Subject: Re: [noise] Channel-bound keys

On Mon, Mar 13, 2017 at 2:44 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> So I added a notion of a "channel-binding value" based on some 
> "channel-binding label", cbv = HASH(h || label).  You can think of 
> this as an additional MixHash step which gives you a specialized 
> channel-binding value for different uses.
>
> https://github.com/noiseprotocol/noise_spec/blob/rev32/noise.md
> https://github.com/noiseprotocol/noise_spec/blob/rev32/output/noise.pd
> f

I tweaked the text:
 * It's now clearer that libraries shouldn't export the raw handshake hash, they should only provide access to channel-binding values based on application-chosen labels
 * changed cbv = HASH(h || label) to cbv = HMAC-HASH(h, label) to prevent length-extension.  It's unlikely that would matter, but since we can't control how applications use cbv's, we should probably make this as safe as possible.

Trevor
_______________________________________________
Noise mailing list
Noise at moderncrypto.org
https://moderncrypto.org/mailman/listinfo/noise



More information about the Noise mailing list