[noise] Channel-bound keys
Alexey Ermishkin
scratch.net at gmail.com
Thu Mar 16 02:09:45 PDT 2017
Looks good to me. But I have a more general PSK question
I understand how pre-shared keys work, but how much security do they add? How much Is 0-RTT IK safer with PSK than pure IK? Would be nice to have a comparison table to decide whether to spend time on implementing something like session cookies
-----Original Message-----
From: Noise [mailto:noise-bounces at moderncrypto.org] On Behalf Of Trevor Perrin
Sent: Wednesday, March 15, 2017 3:24 AM
To: noise <noise at moderncrypto.org>
Subject: Re: [noise] Channel-bound keys
On Mon, Mar 13, 2017 at 2:44 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> So I added a notion of a "channel-binding value" based on some
> "channel-binding label", cbv = HASH(h || label). You can think of
> this as an additional MixHash step which gives you a specialized
> channel-binding value for different uses.
>
> https://github.com/noiseprotocol/noise_spec/blob/rev32/noise.md
> https://github.com/noiseprotocol/noise_spec/blob/rev32/output/noise.pd
> f
I tweaked the text:
* It's now clearer that libraries shouldn't export the raw handshake hash, they should only provide access to channel-binding values based on application-chosen labels
* changed cbv = HASH(h || label) to cbv = HMAC-HASH(h, label) to prevent length-extension. It's unlikely that would matter, but since we can't control how applications use cbv's, we should probably make this as safe as possible.
Trevor
_______________________________________________
Noise mailing list
Noise at moderncrypto.org
https://moderncrypto.org/mailman/listinfo/noise
More information about the Noise
mailing list