[noise] post-handshake authentication

David Wong davidwong.crypto at gmail.com
Thu Jun 21 01:52:01 PDT 2018


> I don't quite follow the protocol.  But what you're asking for seems
> similar to the ASK / Additional Symmetric Keys mechanism that we're
> discussing in the "Resumption PSKs" thread?

It's like Signal's TOFU + fingerprint authentication except that here
you just can't go on with the session if you don't verify
fingerprints.
I didn't want peers to cheat their way and activate the session when
they haven't retrieved the fingerprint out of band. With the current
ASK mechanism a peer could generate the fingerprint and pass it back
to the implementation and it would work. Note that this doesn't have
to be a problem solved by the protocol, the implementation could add
an initiator/responder byte to the ASK. I'll give an example since
it's always more easy to follow:

* initiator does NN() with responder
* at the end of the handshake the CipherStates are locked
* initiator generates an "authentication string" or "fingerprint" with
exportSessionAuthenticationString()
* it returns a byte string [1 | ...] (where ... represents a 32-byte secret)
* if the responder does the same, it would return [0 | ...] (where ...
is the same 32-byte secret)
* they exchange their fingerprints out-of-band
* the initiator passes the [0 | ...] secret to authenticateSession()
and he can now send messages to the responder

Another thing I'm wondering here: what does the responder do if it
starts receiving messages before it activated the session? ignore
them?

> > Additionally, has anyone thought about integrating a
> > short-authentication-string protocol with Noise? Sometimes it's not
> > practical to share a "long" fingerprint out of band (e.g. embedded
> > device flashes a number of leds as the SAS)
>
> Rhys and I thought a little about that last year:
>
> https://moderncrypto.org/mail-archive/noise/2017/001170.html
>
> But we didn't get very far.  Would be fun to push that forward
> sometime, particularly if someone has a real use case.

I'm pretty clueless in this area, maybe something based on this:
https://infoscience.epfl.ch/record/99437/files/PasiniVaudenay06-SASbasedAKA.pdf
There is also a new paper that adds 2FA via SAS:
https://eprint.iacr.org/2018/033.pdf

David


More information about the Noise mailing list