[noise] Noise Explorer
Trevor Perrin
trevp at trevp.net
Thu May 24 01:55:44 PDT 2018
On Wed, May 23, 2018 at 6:08 PM, Katriel Cohn-Gordon <me at katriel.co.uk> wrote:
> Hi all,
>
> This looks to me a bit like an unknown key-share attack against the initiator:
Hi Katriel,
Maybe I missed something, but I thought Karthik was just describing
the simple case where the sender of a message hasn't authenticated the
recipient yet.
> - the initiator A thinks they have a session with the responder B, and
> - there is indeed a session with the same key at the responder B, but
> - B thinks that that session is in fact with the adversary E.
>
> Are there (authenticated) Noise protocols for which the above can happen? If so, is that intentional?
If each party's identity is a unique static public key, then I don't
think this could happen, since static public keys are included in the
transcript hash which both parties agree to.
If a static public key is used with different identities or roles,
then you'd want to include the identity/role in the prologue or
payload, to make sure both parties agreed to it.
That's a generic concern with any protocol like this. But we could
think about adding a security consideration for it.
Trevor
More information about the Noise
mailing list