[noise] post-handshake authentication

David Wong davidwong.crypto at gmail.com
Thu Jun 21 10:04:11 PDT 2018


> This isn't all that similar to Signal - Signal's safety number is a
> concatenation of fingerprints for long-term public keys, but here
> there are no static public keys.

I meant the point of doing this : o both protocols provide mutual
authentication to a non-authenticated handshake.

> Since the 2 parties have the same symmetric keys and hash values, I'm
> not sure it makes sense to modify the underlying crypto to require one
> party to provide a symmetric crypto-based value to the other, since
> both parties can compute the same things with their symmetric keys?

Yeah I agree, and it's pretty easy to enforce in the implementation
(as in my example)

> But it's a little unclear to me whether you want a secret value (like
> from ASK) or just a public authentication value like a public-key
> fingerprint, which could be derived from the handshake hash without
> using ASK at all.

True, actually it doesn't matter if it's a secret value and the
handshake hash should work! (Not sure what I had in mind.)
I'll start implementing a proof of concept and see how this goes.
I'd still be interested in people's opinion about a SAS-Noise :)

David


More information about the Noise mailing list