[noise] Draft extension: Authentication of handshake data between messages

str4d str4d at i2pmail.org
Tue May 29 00:24:52 PDT 2018


On 05/29/2018 06:28 AM, Trevor Perrin wrote:
> Interesting, this feels similar to PSKs to me - PSKs are a way to
> inject external keys, and this would be a way to inject external
> handshake transcript.

Mmm, that's a nice analogy.

> 
> I think we'd want this included in modifiers, not arbitrarily called
> by the application.  Currently the protocol name precisely specifies
> the sequence of MixHash/MixKey crypto steps.  That's important to
> avoid cross-protocol attacks, so if we're going to modify the crypto
> steps we should reflect that precisely in the protocol name, via
> modifiers.

Makes sense.

> 
> I wonder whether the "psk?" modifier approach could be directly
> adapted, i.e. if we had an "h?" modifier where you could specify h0,
> h1, h2, etc just like psk0, psk1, etc, would that suffice?  Or maybe
> you'd want more flexible placement?

I think this might suffice. I'll try implementing this in snow and see
if it can be made exactly compatible with my existing protocol
implementation.

str4d

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180529/49afce04/attachment.sig>


More information about the Noise mailing list