[noise] verifying received static remote key
davidwong.crypto at gmail.com
Wed Nov 1 09:54:32 PDT 2017
Sorry if I'm repeating myself (or someone else). Here is the current
documentation for ReadMessage:
> For "s": Sets temp to the next DHLEN + 16 bytes of the message if HasKey() == True, or to the next DHLEN bytes otherwise. Sets rs (which must be empty) to DecryptAndHash(temp).
I think it should include two additional steps:
1) IF the remote static key is known because it was processed during a
pre-message pattern, it needs to be checked against the received one.
If they are different, the handshake needs to be aborted.
2) ELSE, a verifyRemoteStaticKey() function (or something like that)
needs to be called on the received static remote key. If it returns
false, the handshake needs to be aborted.
Without that, the static keys are accepted right away in N or X
patterns. I agree that verifying a transmitted (X) key is out of scope
for the document, nonetheless I think it should still declare either a
verifyRemoteStaticKey in the handshakeState, or as an argument to
ReadMessage. And the spec should also mention that this is a sensitive
function to implement and that it is the role of the designer to come
up with something to verify the key.
What do you think?
More information about the Noise