[noise] Resumption PSKs

Trevor Perrin trevp at trevp.net
Wed Jun 13 13:17:48 PDT 2018


On Wed, Jun 13, 2018 at 4:40 PM, Christopher Wood <
christopherwood07 at gmail.com> wrote:

> On Tue, Jun 12, 2018 at 10:20 AM Trevor Perrin <trevp at trevp.net> wrote:>
> So the following sketch derives an Additional Symmetric Key (ASK) "master
> key" from HKDF, which can then be used to create chains at a later point.
> >
> > The idea is that we can use this during the handshake as well as during
> Split().  We haven't used HKDF info before, but using it now means that
> ask_master derivation just requires a single extra HMAC, since it can share
> the HKDF-Extract step with the existing HKDF:
> >
> > # During handshake
> > ck, k = HKDF(ck, ikm)
> > ask_master = HKDF(ck, ikm, info="ask")
> >
> > # During split
> > transport1, transport2 = HKDF(ck, zerolen)
> > ask_master = HKDF(ck, zerolen, info="ask")
> >
> > # Either case
> > create_chains(labels):
> >   ask_chain1 = HMAC(ask_master, h || label1)
> >   ask_chain2 = HMAC(ask_master, h || label2)
> >   ask_chain3 = HMAC(ask_master, h || label3)
> >   ...
> >   delete ask_master
>
> This is quite nice. To be clear, create_chains is invoked after
> Split(), correct? If an application doesn't need transport keys, would
> it still invoke Split()? Based on what you wrote, I believe the answer
> is "no," as ask_master is updated during the handshake (and in
> Split()). If that's the case, what is this new API?
>

The application wouldn't have to call the Split() HKDF for transport keys,
but how we'd phrase this as API / pseudocode is up in the air.

Maybe an API vaguely like this?

EnableASK():
  - sets a boolean that causes ASK master keys to be derived, both during
the handshake and at the end of it.

InitializeASK(labels):
  - Assuming ASK was enabled, and there is a non-empty ASK master key,
derives a set of ASK chain keys from the ASK master key and the input
labels, then deletes the ASK master key.  This could be called multiple
times, including after the handshake and during it, and replaces any
previous ASK chains when called.

GetASK(label)
 - Assuming ASK is enabled and initialized, returns the next key from the
appropriate chain, and advances the appropriate ASK chain key, deleting the
previous chain key.

So if you don't EnableASK(), you don't pay any costs for deriving ASK
master keys.  If you do enable it, they you can call InitializeASK/GetASK
either during a handshake or after it, to get ASKs with the same level of
security as the current encryption keys.


Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180613/efbc11f4/attachment.html>


More information about the Noise mailing list