[noise] question on Noise_KK and KCI
Trevor Perrin
trevp at trevp.net
Sat Jun 24 12:09:37 PDT 2017
On Sat, Jun 24, 2017 at 5:57 PM, David Wong <davidwong.crypto at gmail.com> wrote:
> Hello all,
>
> The spec says that Noise_KK is vulnerable to KCI in the first message pattern:
>
> -> e, es, ss 1 2
>
> But here, the key used also depends on the ephemeral key of the sender
> which is unknown to the attacker. So how does knowing the private key
> to sender's s helps here?
Other way around - knowing the recipient's private key allows
impersonation of the sender (the initiator, here).
Trevor
More information about the Noise
mailing list