[noise] Why encrypted keys are authenticated?

Loup Vaillant David loup at loup-vaillant.fr
Mon May 13 18:00:03 PDT 2019

On Tue, 2019-05-14 at 00:57 +0200, Marian Beermann wrote:
> Am 14.05.19 um 00:51 schrieb Loup Vaillant David:
> > I don't think it would: if you can encrypt a public key, then you
> > can authenticate the message that contains it, which Noise already
> > does. A handshake message currently cannot contain an encrypted DH
> > key *and* a plaintext payload. It would mean the symmetric state
> > could *lose* its key, and as far as I am aware it never does.
> I am probably misunderstanding you, but as per the spec, it is
> entirely permissible for the application to send payload data as part
> of handshake messages at any point during the handshake.

The specs do allow plaintext payloads. But they do not allow plaintext
payload *in a message that contains encrypted keys*. The specs are not
explicit about that, but that's how the state machine works. Simply
put, only one of three things can happen in a given message:

- Both keys and payload are in plaintext
- Both keys and payload are encrypted
- keys are in plaintext, payload is encrypted

The fourth possibility never happens.


More information about the Noise mailing list