Sorry for the long delay in replying, I had a baby the day you sent this! This is neat! How many round trips are needed to set up a connection?
When Cap'n Proto gets three-party handoff support, I'm hoping we can do 0-RTT encrypted session setup after introductions. Not many protocols seem to consider this use case though. On Tue, Dec 14, 2021 at 2:05 PM Jens Alfke <j...@mooseyard.com> wrote: > The handshake also produces two session keys, which are then used to > encrypt the channel with the 256-bit symmetric XSalsa20 cipher. (This is > not strictly speaking part of the SecretHandshake protocol, which ends > after key agreement. Scuttlebutt uses a different encryption scheme based > on libSodium’s “secret box”.) > Hmm if you're using a plain xsalsa20 stream and not secret boxes, does that mean you're implementing only encryption, not authentication? Note that XSalsa20 and related ciphers work by generating a random stream, and then XORing it with the plaintext. So although the attacker can't decrypt the bytes, they can flip individual bits in the ciphertext and this will result in the same bit being flipped in the plaintext. Secret boxes add a MAC to each block which allows the receiver to verify that the bits haven't been tampered with. -Kenton -- You received this message because you are subscribed to the Google Groups "Cap'n Proto" group. To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/capnproto/CAJouXQn8W%3DyZPQ%3DD%2BjwUAPvQJQj0XR-EKb1yFEtkwpt9jzYCow%40mail.gmail.com.
