[noise] Why encrypted keys are authenticated?

Marian Beermann public at enkore.de
Mon May 13 15:57:24 PDT 2019

Am 14.05.19 um 00:51 schrieb Loup Vaillant David:
> I don't think it would: if you can encrypt a public key, then you can
> authenticate the message that contains it, which Noise already does. A
> handshake message currently cannot contain an encrypted DH key *and* a
> plaintext payload. It would mean the symmetric state could *lose* its
> key, and as far as I am aware it never does.

I am probably misunderstanding you, but as per the spec, it is entirely
permissible for the application to send payload data as part of
handshake messages at any point during the handshake.

> Following the public keys will be a single payload which can be used
to convey certificates or other handshake data, but can also contain a
zero-length plaintext.
> Static public keys and payloads will be in cleartext if they are sent
in a handshake prior to a DH operation, and will be AEAD ciphertexts if
they occur after a DH operation.


More information about the Noise mailing list