[noise] Does the NK handshake pattern require a separate server pubkey check?
Loup Vaillant-David
loup at loup-vaillant.fr
Tue Apr 21 09:48:32 PDT 2020
> > Well, if the client already received the server's public key
> > out-of-band it wouldn't have to check it, but in that situation
> > there's no reason to be using NX. I.e. NX could be used just like
> > NK and has the same authentication properties, it just additionally
> > transmits the public key in case the client doesn't already have
> > it.
>
> There must be something I misunderstand. I don't see what part of the
> NX handshake pattern inherently fails when the initiator and
> responder have different ideas of what the responder's static key is,
> for example in the case of MITM.
I suspect Trevor is hinting at a "Trust On First Use" situation: the
first time around, we use NX, and just "trust" the key we received does
not come from a man in the middle. Subsequent exchanges could then use
NK, using the key we trusted during the first exchange.
As for the part you don't seeā¦ it actually isn't there: NX won't fail
if you're talking to a malicious server, you need to check the
transmitted key somehow.
> I get that the NK pattern suffices if the initiator has out-of-band
> knowledge of the responder's static key;
It does suffice.
> I just want to check my understanding that if the NX pattern is used
> in the same situation, the initiator needs to check the received
> static key, separately from the Noise handshake.
Your understanding is correct.
Loup.
More information about the Noise
mailing list