[noise] Why encrypted keys are authenticated?
Trevor Perrin
trevp at trevp.net
Mon May 13 16:48:15 PDT 2019
On Mon, May 13, 2019 at 3:49 AM Loup Vaillant David
<loup at loup-vaillant.fr> wrote:
>
> Hi,
>
> Noise has an apparent redundancy that bothers me a little: encrypted
> public keys in handshake messages are authenticated *twice*: once with
> the key that encrypts them, and once again with the key that encrypts
> (and authenticates) the payload message.
Hi Loup,
We discussed this briefly before:
https://moderncrypto.org/mail-archive/noise/2018/001864.html
In general if you want to encrypt something with a symmetric key you
want authenticated encryption.
Omitting the "authenticated" part can open up attacks against
confidentiality, e.g. a network attacker can XOR something into a
legitimate ciphertext causing the receiver to operate on a tampered
plaintext in a way that reveals something about the plaintext (either
via an error behavior or timing).
Trevor
More information about the Noise
mailing list