[noise] selfie attack

David Wong davidwong.crypto at gmail.com
Wed Apr 3 08:29:18 PDT 2019

>> This paper https://eprint.iacr.org/2019/347.pdf points out that (in
>> Noise terms) NNpsk handshakes and traffic can be reflected back to the
>> originator if it acts as client and server
> That's true, if a node is willing to serve as an initiator or
> responder based solely on PSK authentication then it is willing to
> talk to itself, so could end up handling its own reflected messages.
> That's obvious in a sense, but might be overlooked by protocol
> designers / developers.  I think it merits a security consideration
> that entities should bind some other identity information in this case
> (via handshake payloads or prologue), not sure we could do much else.

I think the biggest issue with TLS 1.3 is how this PSK could come from a previous handshake (to do session-resumption). This is where things are not so obvious IMO. Noise doesn’t seem to mention session resumption so I’m not sure if it would make sense to add something about it. That seems like a protocol design concern though.


More information about the Noise mailing list