3 Matching Annotations
- Mar 2020
-
noiseprotocol.org noiseprotocol.org
-
Channel binding: Depending on the DH functions, it might be possible for a malicious party to engage in multiple sessions that derive the same shared secret key by setting public keys to invalid values that cause predictable DH output (as in the previous bullet). It might also be possible to set public keys to equivalent values that cause the same DH output for different inputs. This is why a higher-level protocol should use the handshake hash (h) for a unique channel binding, instead of ck, as explained in Section 11.2.
Tags
Annotators
URL
-
-
moderncrypto.org moderncrypto.org
-
Thus it's an incomplete fix, and the correct solution is binding the transcript.
-
It's well-understood nowadays that channel binding must cover the session transcript.
-