[noise] selfie attack

[Max Rottenkolber]

Hi all,

On Wed, Apr 3, 2019 at 7:20 AM Justin Cormack
<justin at specialbusservice.com> wrote:
>
> This paper https://eprint.iacr.org/2019/347.pdf points out that (in
> Noise terms) NNpsk handshakes and traffic can be reflected back to the
> originator if it acts as client and server

I actually ran into this issue, having choosen a NNpsk0 based design. Seeing
chatter about Selfie scrolling by on Twitter made me realize that my design is
affected almost instantly.

So maybe a note on this on the PSK section might be valuable. Something along
the lines of “If you use a psk pattern without asymmetric key identities, note
that you have to ensure identity by other means”, illustrated by a Selfie-style
example.

On Wed, 3 Apr 2019 08:25:01 -0700, trevp at trevp.net (Trevor Perrin) wrote:
> That's obvious in a sense, but might be overlooked by protocol
> designers / developers.  I think it merits a security consideration
> that entities should bind some other identity information in this case
> (via handshake payloads or prologue), not sure we could do much else.

Definitely obvious in retrospect. I even used this property knowingly in
testing scenarios. Like you said the fix[1] for me was to include the intent of
the exchange in the prologue, so that an initiator won’t be tricked into
authenticating with itself unless that is what it intended to do.

So I dunno... I guess I just wanted to chime in with an empiric data point,
being one of those surprised protocol developers.

[1] https://github.com/inters/vita/pull/96

Cheers,
Max