[noise] Resumption (was Re: Channel-bound keys)

Trevor Perrin trevp at trevp.net
Fri Mar 17 01:38:52 PDT 2017

On Thu, Mar 16, 2017 at 3:43 AM, Trevor Perrin <trevp at trevp.net> wrote:
> We might consider aligning public-key (IK, XK, NK) and PSK resumption,
> so it was easier for protocols to support both.
> For example, the "channel-bound keys" thing doesn't work for
> semi-static public keys.

Thinking more about making different resumption methods similar.
Another idea, instead of channel-bound keys:

In addition to IK based on the server's static public key, we have two
forms of resumption based on server-provided values:

 (A) Resumption PSK and session ticket, or

 (B) Short-lived ("semi-ephemeral") public key

To prevent the server relaying someone else's PSK or semi-ephemeral
public key, we require a client to bind the server's identity in the
first resumption message.  Given that, PSK handling is simple: the
server just sends the client the PSK.

To bind the server's identity, we could define a pattern
transformation that adds the server's static as a pre-message, if it's
not one already.  E.g.

  <- s
  -> e
  <- e, ee

Since we're using the server's static within the pattern, we can't
treat the short-lived key as a "semi-static", so instead we have to
consider it a "semi-ephemeral", since ephemeral keys are allowed to be
replaced within the pattern.  But a pattern-transformation for
semi-ephemeral keys could convert the server's "s" to "e":

  <- s, e
  -> e, ee, s, se
  <- e, ee, se

Is this making sense?


More information about the Noise mailing list