[noise] Channel-bound keys
Trevor Perrin
trevp at trevp.net
Thu Mar 16 03:43:54 PDT 2017
On Thu, Mar 16, 2017 at 2:09 AM, Alexey Ermishkin <scratch.net at gmail.com> wrote:
> Looks good to me. But I have a more general PSK question
> I understand how pre-shared keys work, but how much security do they add? How much Is 0-RTT IK safer with PSK than pure IK? Would be nice to have a comparison table to decide whether to spend time on implementing something like session cookies
Comparing IK to PSK_NN with a resumption PSK:
IK has stronger authentication because it authenticates the other
party's public key. With PSK_NN someone who steals your resumption
PSK can impersonate other parties *TO* you.
IK has good forward-secrecy against client compromise, even for 0-RTT
data. PSK_NN may or may not, it depends on whether the PSK is used
for multiple sessions, or is used once, then destroyed.
Forward-secrecy against server compromise also depends:
* For PSK_NN, 0-RTT forward secrecy depends on how frequently the
server rotates its ticket-encrypting key (assuming it's giving the
client session tickets so it can process resumptions without state).
* For IK, 0-RTT forward secrecy depends on how frequently the server
rotates its static public key.
We've talked a little about "semi-static" keys, where the server gives
the client a "semi-static" resumption public key which is used only
for resumption with IK. That might make it easier for the server to
get better 0-RTT forward secrecy with IK, by rotating semi-static keys
more frequently.
PSK_NN has less computation. Noise_IK is simpler... So it's not a
simple tradeoff!
We might consider aligning public-key (IK, XK, NK) and PSK resumption,
so it was easier for protocols to support both.
For example, the "channel-bound keys" thing doesn't work for
semi-static public keys. For those, the client would probably need to
store a channel-binding value and use it as a prologue for resumption.
So we could consider dropping the "channel-bound keys" notion and make
PSK resumption, and IK resumption without semi-static public keys, all
work the same way.
Something to think about, at least.
Trevor
More information about the Noise
mailing list