Noise Explorer beta

IK1

s ... a e, s b e, ee, se, es c d

Handshake Pattern Analysis

The responder is initialized with a pre-shared long-term static key, which is assumed to be pre-authenticated out of band by the initiator.

Message A show detailed analysis

Message A, sent by the initiator, does not benefit from sender authentication and does not provide message integrity. It could have been sent by any party, including an active attacker. Message contents are sent in cleartext and do not benefit from message secrecy and any forward secrecy is out of the question. 0,0

Message B show detailed analysis

Message B, sent by the responder, benefits from sender and receiver authentication and is resistant to Key Compromise Impersonation. Assuming the corresponding private keys are secure, this authentication cannot be forged. Message contents benefit from message secrecy and weak forward secrecy under a passive attacker: if the responder's long-term static keys were previously compromised, the later compromise of the initiator's long-term static keys can lead to message contents being decrypted by an attacker. 4,3

Message C show detailed analysis

Message C, sent by the initiator, benefits from sender and receiver authentication and is resistant to Key Compromise Impersonation. Assuming the corresponding private keys are secure, this authentication cannot be forged. Message contents benefit from message secrecy and strong forward secrecy: if the ephemeral private keys are secure and the responder is not being actively impersonated by an active attacker, message contents cannot be decrypted. 4,5

Message D show detailed analysis

Message D, sent by the responder, benefits from sender and receiver authentication and is resistant to Key Compromise Impersonation. Assuming the corresponding private keys are secure, this authentication cannot be forged. Message contents benefit from message secrecy and strong forward secrecy: if the ephemeral private keys are secure and the initiator is not being actively impersonated by an active attacker, message contents cannot be decrypted. 4,5

Download Cryptographic Models for Formal Verification

Download Model active attacker Download Model passive attacker