[noise] Pattern validity questions
Alex
alex at centromere.net
Sun May 14 12:31:35 PDT 2017
In section 7.1 of rev32b, item 2 states:
> Parties must not send their static public key, or an ephemeral public
> key, more than once per handshake (i.e. including the pre-messages,
> there must be no more than one occurrence of "e", and one occurrence
> of "s", in the messages sent by any party).
The language says, "no more than one", which indicates to me that it's
valid to have a pattern with zero e tokens. Wouldn't this lead to
catastrophic key re-use? Should the language be modified to indicate
that the `e` token must appear "exactly once"?
And item 3 states:
> After performing a DH between a remote public key and any local
> private key that is not an ephemeral private key, the local party must
> not send any encrypted data unless they have also performed a DH
> between an ephemeral private key and the remote public key.
What is meant by "must not send any encrypted data"? Is information
contained in the payload of a Noise message considered encrypted data,
or does "encrypted data" refer to information encrypted with keys
derived from Split()?
"and the remote public key." -- any remote public key? Would it be
better if this said, "and a remote public key"?
Is the following an example of a pattern which specifically violates
rule 3?:
Noise_invalid(s, rs):
<- s
...
-> e, es, s, ss
<- e
--
Alex
More information about the Noise
mailing list