[noise] certificate chains

Trevor Perrin trevp at trevp.net
Tue Jul 3 09:06:55 PDT 2018


On Tue, Jul 3, 2018 at 3:48 PM, Arvid Picciani <aep at exys.org> wrote:
>> I was assuming that "s" will be used repeatedly by the client
>
> no, only by the server for 0-RTT.
> the s sent in message 1 (cleartext) is not reused.
> The fact that it exists at all is me not understanding the handshake hash well.
> Its safety properties are not well documented in the spec.  I.e. when
> is it safe to sign it in which pattern?
>
>
> in NX for example (which would just leave out the client static key),
> is this safe?
>
> NX(rs):
>   -> e
>   <- e, ee, s, es  [u(h)]
>   -> [u, u(h)]

Hi Arvid,

It's true that we don't provide a lot of advice about signing the
handshake hash during the handshake.

Ultimately, we'd want to handle this as part of Noise itself, rather
than having people adding this in handshake payloads.

For example, we might have something like a "sig" modifier which
converts "es" and "se" tokens to signatures from the static key over
the handshake hash:

XXsig
  -> e
  <- e, ee, s, sig
  -> s, sig

However, there are details to work out (like naming the modifier and
tokens), so we're probably months away from that.


About your sketch - signing the static key makes sense if you want to
reuse the signature and not sign every handshake (i.e. an "offline"
signing key).  If you're signing the handshake hash then you don't
need a Noise static key.  So in your sketch, either:
 (a) the server's static is unneeded, or
 (b) the server's signature should be over s, not h

So you should think about which approach you want:  Do you want to
sign statics and reuse the signatures, or do you want to do online
signatures, in which case you don't need DH statics?

Trevor


More information about the Noise mailing list