[noise] Draft extension: Authentication of handshake data between messages

Trevor Perrin trevp at trevp.net
Mon May 28 11:28:46 PDT 2018


On Mon, May 28, 2018 at 5:18 AM, str4d <str4d at i2pmail.org> wrote:
> # Noise extension: Authentication of handshake data between messages
[...]
> Noise supports a prologue input that can be used to authenticate data
> generated _before_ a handshake starts. This extension provides a way to
> authenticate data generated _during_ a handshake, but _before_ its
> completion.
[...]
> [Meta-note: I wasn't sure whether to indicate this behaviour with a
> modifier, or rely on the higher-layer protocol to define its usage.
> Modifiers are canonically used for modifying the behaviour of
> WriteMessage() and ReadMessage(), whereas this extension modifies
> handshake validity outside them.]

Interesting, this feels similar to PSKs to me - PSKs are a way to
inject external keys, and this would be a way to inject external
handshake transcript.

I think we'd want this included in modifiers, not arbitrarily called
by the application.  Currently the protocol name precisely specifies
the sequence of MixHash/MixKey crypto steps.  That's important to
avoid cross-protocol attacks, so if we're going to modify the crypto
steps we should reflect that precisely in the protocol name, via
modifiers.

I wonder whether the "psk?" modifier approach could be directly
adapted, i.e. if we had an "h?" modifier where you could specify h0,
h1, h2, etc just like psk0, psk1, etc, would that suffice?  Or maybe
you'd want more flexible placement?

Trevor


More information about the Noise mailing list