[noise] wire guard handshake properties?

Trevor Perrin trevp at trevp.net
Fri Jun 8 21:56:53 PDT 2018


On Fri, Jun 8, 2018 at 12:24 PM, dawuud <dawuud at riseup.net> wrote:
>
> Hi.
>
> A friend of mine recently suggested that the Wire Guard noise handshake, IK
> allows an adversary to retroactively identify sessions belonging to a compromised
> client key. Is this true?
>
> IK(s, rs):
> <- s
> ...
> -> e, es, s, ss
> <- e, ee, se
>
> Looking at this handshake pattern, it seems to me that in order to decrypt
> 's' in the first handshake message, the adversary would need the server's private
> key since the client's ephemeral private key has been destroyed.
>
> If this is correct then shouldn't this be articulated in the security properties section
> before more developers decide to use it?

Hi David,

Section 7.5 on "Identity hiding" has the description of these
properties you're looking for.

Trevor


More information about the Noise mailing list