[noise] wire guard handshake properties?
dawuud
dawuud at riseup.net
Fri Jun 8 05:24:20 PDT 2018
Hi.
A friend of mine recently suggested that the Wire Guard noise handshake, IK
allows an adversary to retroactively identify sessions belonging to a compromised
client key. Is this true?
IK(s, rs):
<- s
...
-> e, es, s, ss
<- e, ee, se
Looking at this handshake pattern, it seems to me that in order to decrypt
's' in the first handshake message, the adversary would need the server's private
key since the client's ephemeral private key has been destroyed.
If this is correct then shouldn't this be articulated in the security properties section
before more developers decide to use it?
I'm sure IK is tempting because:
1. symmetrical computational overhead
2. zero-RTT encryption
David
More information about the Noise
mailing list