[noise] Resumption PSKs

David Wong davidwong.crypto at gmail.com
Tue Jun 12 09:22:18 PDT 2018


>From an API perspective, the cleanest and the retro-compatible way is
to not change Split() and have Split() iterate the chaining key as I
pointed out in my first reply to this thread.

Sure applications can delete the handshakeState, but the ones that
won't delete the handshakeState now have a handshakeState that is
benign (since the chainkey has been iterated and cannot be used to
derive the session keys anymore) and if they do want to use the
functionality that str4d is looking for then they can preserve the
handshakeState on purpose.

Now if libraries delete the handshakeState themselves we have an
issue, but if this proposition is accepted than up-to-date libraries
can have Split iterate the chaining key and not delete the
handshakeState.

Note that for the handshakeState to be completely benign, the private
keys associated to ephemeral keys still need to be removed. I think
this is a good argument to point out in relevant places --maybe
Write/ReadMessage()-- that a DH(e, something) should remove the
e_private as well.

David


More information about the Noise mailing list