[noise] Channel-bound keys

Alexey Ermishkin scratch.net at gmail.com
Thu Mar 16 02:09:45 PDT 2017

Looks good to me. But I have a more general PSK question
I understand how pre-shared keys work, but how much security do they add? How much Is 0-RTT IK safer with PSK than pure IK? Would be nice to have a comparison table to decide whether to spend time on implementing something like session cookies

-----Original Message-----
From: Noise [mailto:noise-bounces at moderncrypto.org] On Behalf Of Trevor Perrin
Sent: Wednesday, March 15, 2017 3:24 AM
To: noise <noise at moderncrypto.org>
Subject: Re: [noise] Channel-bound keys

On Mon, Mar 13, 2017 at 2:44 PM, Trevor Perrin <trevp at trevp.net> wrote:
> So I added a notion of a "channel-binding value" based on some 
> "channel-binding label", cbv = HASH(h || label).  You can think of 
> this as an additional MixHash step which gives you a specialized 
> channel-binding value for different uses.
> https://github.com/noiseprotocol/noise_spec/blob/rev32/noise.md
> https://github.com/noiseprotocol/noise_spec/blob/rev32/output/noise.pd
> f

I tweaked the text:
 * It's now clearer that libraries shouldn't export the raw handshake hash, they should only provide access to channel-binding values based on application-chosen labels
 * changed cbv = HASH(h || label) to cbv = HMAC-HASH(h, label) to prevent length-extension.  It's unlikely that would matter, but since we can't control how applications use cbv's, we should probably make this as safe as possible.

Noise mailing list
Noise at moderncrypto.org

More information about the Noise mailing list