[noise] rev32b (Release Candidate)

Trevor Perrin trevp at trevp.net
Sat May 13 10:09:26 PDT 2017


On Sat, May 13, 2017 at 1:09 AM, Alex <alex at centromere.net> wrote:
> On Thu, 11 May 2017 18:27:49 +0000
> Trevor Perrin <trevp at trevp.net> wrote:
>
>> The new design provides PSK flexibility with a "psk" token, and uses a
>> naming scheme that fits with the "modifier" syntax we currently use
>> for "fallback", and have discussed using for signatures ("sig"),
>> post-quantum ("hfs"), and other pattern transformations ("noidh",
>> others).
>>
>
> Does the following accurately describe your intention behind the `psk`
> token?:
>
> Noise_IKpsk1(s, rs):
>    <- s
>    ...
>    -> e, es, s, ss, psk(lookup_psk_in_database(s.public_key))
>    <- e, ee, se


That's one way it could be used.

If you use psk2 instead of psk1 the responder can defer the lookup
until after decrypting the first payload, which could help DoS
resistance (e.g. allowing the responder to check a payload timestamp
and discard old replays before looking up the PSK, which I think is
the WireGuard rationale), or the responder could use something in the
payload (e.g. a username) to lookup the PSK.

Trevor


More information about the Noise mailing list