Re: CADET protocol: Anna or Betty?

[Schanzenbach, Martin]

> On 3. Jan 2020, at 21:35, carlo von lynX <address@hidden> wrote:
> 
> Why Anna? Because Alice sounds too much like it's about crypto!
> 
> Greetings from the secushare workshop. We're discussing the
> implications of the protocol design bug regarding that Alice
> (Anna) or Betty logic by which if the channel breaks and
> Betty wants to re-open it, then she can't actually do anything
> because Anna is supposed to start the handshake whereas Anna
> thinks the channel is still up and running and thus doesn't
> do anything.
> 
> We're thinking of introducing an extra message from Betty to
> Anna which tells Anna that Betty would like to be entertained
> and transmits Betty's new channel id. Anna will the either 
> realize she has an old channel id, thus needs to take action,
> or she has *no* channel id, then she probably started negotiation
> at the same time and should act no further (racing condition)
> or she already has that channel id, then also she does nothing.

That sounds like it allows anyone to highjack any (established) channel
after a successful kx.

> 
> Does that sound reasonable? Where do we have documentation
> explaining why we have this decision-making logic in the first
> place rather than letting the initiating of the two start the
> handshake? I don't think Tor has anything like that, also TCP
> and TLS don't have it.

What about TLS session resumption? might make sense to look into that.

> 
> Back in the days of PSYC1 I designed it in such a way that if
> both nodes decide to talk to each other at the same time, they
> will interpret each others' initations as the respective 
> responses, resulting in faster link creation.

That may be ok for the initial handshake, but not for resumptions.

BR