[noise] Noise Explorer

Karthikeyan Bhargavan karthik.bhargavan at gmail.com
Wed May 23 10:55:31 PDT 2018


> Also, can you explain the attack where there is the comment
> "However, if the responder carries out a separate session with a separate,
> compromised initiator, this other session can be used to forge the authenticity
> of this message with this session's initiator." - not quite clear how
> this works…

I believe this scenario (attack is too strong a word) generally occurs in stages when the initiator is not (yet) authenticated;
so the attacker can forward the initiator’s message over its own connection to the responder,
and the responder’s responder (intended for the attacker) can be forwarded by the attacker to the initiator.
Consequently, even if this the second flight (response) is authenticated by the responder, and hence provides
sender authentication, it does not provide receiver authentication.

More generally, I would like to see “receiver authentication” included in the authenticity goals (perhaps as level 3?)
This property means that if Bob receives a message from Alice, he knows that Alice intended to send this message to Bob and not to someone else.
Currently, receiver authentication is buried in the text of the secrecy properties and this feels less than ideal.

-Karthik


> 
> Justin
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise



More information about the Noise mailing list