Noise Explorer beta

NNpsk2

a e b e, ee, psk c d

Handshake Pattern Analysis

Message A show detailed analysis

Message A, sent by the initiator, does not benefit from sender authentication and does not provide message integrity. It could have been sent by any party, including an active attacker. Message contents are sent in cleartext and do not benefit from message secrecy and any forward secrecy is out of the question. 0,0

Message B show detailed analysis

Message B, sent by the responder, benefits from receiver authentication but is vulnerable to Key Compromise Impersonation. If the initiator's long-term private key has been compromised, this authentication can be forged. However, if the responder carries out a separate session with a separate, compromised initiator, this other session can be used to forge the authentication of this message with this session's initiator. Message contents benefit from message secrecy and weak forward secrecy under a passive attacker: if the responder's long-term static keys were previously compromised, the later compromise of the initiator's long-term static keys can lead to message contents being decrypted by an attacker. 1,3

Message C show detailed analysis

Message C, sent by the initiator, benefits from receiver authentication but is vulnerable to Key Compromise Impersonation. If the responder's long-term private key has been compromised, this authentication can be forged. However, if the initiator carries out a separate session with a separate, compromised responder, this other session can be used to forge the authentication of this message with this session's responder. Message contents benefit from message secrecy and weak forward secrecy under a passive attacker: if the initiator's long-term static keys were previously compromised, the later compromise of the responder's long-term static keys can lead to message contents being decrypted by an attacker. 1,3

Message D show detailed analysis

Message D, sent by the responder, benefits from receiver authentication but is vulnerable to Key Compromise Impersonation. If the initiator's long-term private key has been compromised, this authentication can be forged. However, if the responder carries out a separate session with a separate, compromised initiator, this other session can be used to forge the authentication of this message with this session's initiator. Message contents benefit from message secrecy and weak forward secrecy under a passive attacker: if the responder's long-term static keys were previously compromised, the later compromise of the initiator's long-term static keys can lead to message contents being decrypted by an attacker. 1,3

Download Cryptographic Models for Formal Verification

Download Model active attacker Download Model passive attacker