D. J. Bernstein | 15 Sep 12:27 2013

Re: questions on Hello robustness and about what is included

Laurent Alebarde writes:
> But here, the content of the box is all zeros, meaning a clear text attack
> might be performed to have information on (c', S).

The cryptographic primitives are designed to be secure for all inputs.
Higher levels of the protocol choose convenient input formats without
having to worry that this will compromise the cryptography.

> In the handshake, the packets are prefixed with an ID ("QvnQ5XlH", "RL3aNMXK,
> etc). But the nonce that follows already contains a prefix that may take that
> role (respectively : "CurveCP-client-H", "CurveCPK", etc).

A nonce is a concatenation of "CurveCPK" etc. and a compressed nonce, as
stated in the nonce specification; the compressed nonce doesn't include
the "CurveCPK" part. What is included in packets is the compressed
nonce, as stated in the detailed packet specification.

> I would expect the packets to be of the same size, but Hello has 224
> bytes and Cookie 200 bytes.

The attacker sends 224 bytes to the server, which sends 200 bytes to the
victim. This is less traffic for the victim to handle than having the
attacker send 224 bytes directly to the victim. Of course, it's almost
twice as much traffic for the server's router as not responding at all,
but one does have to get legitimate connections started somehow.

> Is there a recommendation to customise sigma per application ?


---D. J. Bernstein
   Research Professor, Computer Science, University of Illinois at Chicago