[noise] non replayable XK/KK?

Rhys Weatherley rhys.weatherley at gmail.com
Sat Jan 27 15:00:38 PST 2018


On Sun, Jan 28, 2018 at 5:26 AM, Trevor Perrin <trevp at trevp.net> wrote:

> Anyways, your important observation (from the Dominic Tarr paper) is
> that an attacker replaying an initial message in NKpsk0 (for example)
> could confirm the server still has the same static key and PSK, if it
> responds.
>

This is an issue because the specification requires early abort as soon as
a MAC check fails.  But if the handshake ran to completion every time
before reporting the failure, then the information leakage would not
occur.  That is, collect errors along the way but then continue in a
constant-time manner as though the values were correct.  Abort upon the
final handshake packet just before the Split().

Cheers,

Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180128/c6221b5a/attachment.html>


More information about the Noise mailing list