[noise] Noise XK 5 should be a 4?

david wong davidwong.crypto at gmail.com
Mon Apr 29 21:07:41 PDT 2019

Oh right! The payload authenticates the handshake. 

I suggest a payload token!


> On Apr 29, 2019, at 8:56 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> On Mon, Apr 29, 2019 at 6:22 PM david wong <davidwong.crypto at gmail.com> wrote:
>> I think my brain is farting, but shouldn't XK's last message provide a 4 in dest payload security?
> I think the spec is right (5).
>> You can send your own e as the server's response and the client's last handshake payload will have weak forward secrecy
> Forging the responder(server)'s response requires knowledge of either
> the responder's static private key or the initiator's ephemeral
> private key.
> In the messages marked 5 the sender has authenticated the recipient's
> ephemeral using their own (sender) ephemeral and the recipient's
> static key, so there's no "weak forward secrecy" issues.
> Trevor

More information about the Noise mailing list