Noise Explorer beta

NNpsk0

a psk, e b e, ee c d

Handshake Pattern Analysis

Message A show detailed analysis

Message A, sent by the initiator, benefits from receiver authentication but is vulnerable to Key Compromise Impersonation. If the responder's long-term private key has been compromised, this authentication can be forged. However, if the initiator carries out a separate session with a separate, compromised responder, this other session can be used to forge the authentication of this message with this session's responder. Message contents benefit from message secrecy and some forward secrecy: the compromise of the responder's long-term private keys, even at a later date, will lead to message contents being decrypted by the attacker. 1,2

Message B show detailed analysis

Message B, sent by the responder, benefits from receiver authentication but is vulnerable to Key Compromise Impersonation. If the initiator's long-term private key has been compromised, this authentication can be forged. However, if the responder carries out a separate session with a separate, compromised initiator, this other session can be used to forge the authentication of this message with this session's initiator. Message contents benefit from message secrecy and weak forward secrecy under a passive attacker: if the responder's long-term static keys were previously compromised, the later compromise of the initiator's long-term static keys can lead to message contents being decrypted by an attacker. 1,3

Message C show detailed analysis

Message C, sent by the initiator, benefits from receiver authentication but is vulnerable to Key Compromise Impersonation. If the responder's long-term private key has been compromised, this authentication can be forged. However, if the initiator carries out a separate session with a separate, compromised responder, this other session can be used to forge the authentication of this message with this session's responder. Message contents benefit from message secrecy and weak forward secrecy under a passive attacker: if the initiator's long-term static keys were previously compromised, the later compromise of the responder's long-term static keys can lead to message contents being decrypted by an attacker. 1,3

Message D show detailed analysis

Message D, sent by the responder, benefits from receiver authentication but is vulnerable to Key Compromise Impersonation. If the initiator's long-term private key has been compromised, this authentication can be forged. However, if the responder carries out a separate session with a separate, compromised initiator, this other session can be used to forge the authentication of this message with this session's initiator. Message contents benefit from message secrecy and weak forward secrecy under a passive attacker: if the responder's long-term static keys were previously compromised, the later compromise of the initiator's long-term static keys can lead to message contents being decrypted by an attacker. 1,3

Download Cryptographic Models for Formal Verification

Download Model active attacker Download Model passive attacker