[noise] Pattern validity questions

Alex alex at centromere.net
Sun May 14 13:06:16 PDT 2017 

On Sun, 14 May 2017 19:52:48 +0000
Trevor Perrin <trevp at trevp.net> wrote:

> On Sun, May 14, 2017 at 7:31 PM, Alex <alex at centromere.net> wrote:
> > In section 7.1 of rev32b, item 2 states:
> >  
> >> Parties must not send their static public key, or an ephemeral
> >> public key, more than once per handshake (i.e. including the
> >> pre-messages, there must be no more than one occurrence of "e",
> >> and one occurrence of "s", in the messages sent by any party).  
> >
> > The language says, "no more than one", which indicates to me that
> > it's valid to have a pattern with zero e tokens. Wouldn't this lead
> > to catastrophic key re-use?  
> 
> No, key reuse is prevented by 7.1 bullet 3 (for DH) and 9.3 (for PSK).
> 
> Currently the spec allows handshake patterns which don't use any DH
> outputs or PSKs, for example the empty pattern, or patterns like:
> 
>  -> e  
>  <- e
> 
> Where public keys are transmitted but never used.
> 
> We could add another validity rule to explicitly disallow this.
> However it's pretty obvious that if you don't use keys you won't get
> security.  So that doesn't seem like an important observation, and I
> think I'd be mildly opposed to adding it.
> 
> 
> > Should the language be modified to indicate
> > that the `e` token must appear "exactly once"?  
> 
> I think the existing rules are sufficient.
> 
> 
> > And item 3 states:
> >  
> >> After performing a DH between a remote public key and any local
> >> private key that is not an ephemeral private key, the local party
> >> must not send any encrypted data unless they have also performed a
> >> DH between an ephemeral private key and the remote public key.  
> >
> > What is meant by "must not send any encrypted data"? Is information
> > contained in the payload of a Noise message considered encrypted
> > data, or does "encrypted data" refer to information encrypted with
> > keys derived from Split()?  
> 
> What is meant is any data encrypted via ENCRYPT().  I'll think about
> how to be more explicit there.
> 

So in Noise_IK:

Noise_IK(s, rs):
   <- s
   ...
   -> e, es, s, ss
   <- e, ee, se

it is valid for the initiator to send encrypted data in the payload of
its first Noise message, *only* because of the presence of the `es`
token, correct? In other words, had that token not been there, it would
be an invalid pattern?

-- 
Alex

More information about the Noise mailing list