[noise] wire guard handshake properties?

dawuud dawuud at riseup.net
Fri Jun 8 05:24:20 PDT 2018


Hi.

A friend of mine recently suggested that the Wire Guard noise handshake, IK
allows an adversary to retroactively identify sessions belonging to a compromised
client key. Is this true?

IK(s, rs):
<- s
...
-> e, es, s, ss
<- e, ee, se

Looking at this handshake pattern, it seems to me that in order to decrypt
's' in the first handshake message, the adversary would need the server's private
key since the client's ephemeral private key has been destroyed.

If this is correct then shouldn't this be articulated in the security properties section
before more developers decide to use it?

I'm sure IK is tempting because:
1. symmetrical computational overhead
2. zero-RTT encryption


David


More information about the Noise mailing list