[noise] Channel-bound keys

Trevor Perrin trevp at trevp.net
Thu Mar 16 03:43:54 PDT 2017 

On Thu, Mar 16, 2017 at 2:09 AM, Alexey Ermishkin <scratch.net at gmail.com> wrote:
> Looks good to me. But I have a more general PSK question
> I understand how pre-shared keys work, but how much security do they add? How much Is 0-RTT IK safer with PSK than pure IK? Would be nice to have a comparison table to decide whether to spend time on implementing something like session cookies

Comparing IK to PSK_NN with a resumption PSK:

IK has stronger authentication because it authenticates the other
party's public key.  With PSK_NN someone who steals your resumption
PSK can impersonate other parties *TO* you.

IK has good forward-secrecy against client compromise, even for 0-RTT
data.  PSK_NN may or may not, it depends on whether the PSK is used
for multiple sessions, or is used once, then destroyed.

Forward-secrecy against server compromise also depends:
 * For PSK_NN, 0-RTT forward secrecy depends on how frequently the
server rotates its ticket-encrypting key (assuming it's giving the
client session tickets so it can process resumptions without state).
 * For IK, 0-RTT forward secrecy depends on how frequently the server
rotates its static public key.

We've talked a little about "semi-static" keys, where the server gives
the client a "semi-static" resumption public key which is used only
for resumption with IK.  That might make it easier for the server to
get better 0-RTT forward secrecy with IK, by rotating semi-static keys
more frequently.

PSK_NN has less computation.  Noise_IK is simpler...  So it's not a
simple tradeoff!


We might consider aligning public-key (IK, XK, NK) and PSK resumption,
so it was easier for protocols to support both.

For example, the "channel-bound keys" thing doesn't work for
semi-static public keys.  For those, the client would probably need to
store a channel-binding value and use it as a prologue for resumption.
So we could consider dropping the "channel-bound keys" notion and make
PSK resumption, and IK resumption without semi-static public keys, all
work the same way.

Something to think about, at least.


Trevor

More information about the Noise mailing list