On Wed, 17 Dec 2014 13:51:02 -0500 Nick Mathewson nickm@alum.mit.edu wrote: [snipity]
Should the handshake also a signature by Bob of (X|N), and should maybe the shared secret also include a digest of all the other parts of the communication?
Hmm, maybe I shouldn't have left bits out, and I really do need to document the handshake component of the protocol.
The former is actually done, a BLAKE-256 digest of the entire client request is included in Bob's response and is covered by the signature. The client verifies that Bob received a unmodified request, after checking the signature. There's no reason why the signature can't just include the entire request here if that's better.
Including a digest of everything sent as part of the shared secret seems like a good idea, so I shall revise the protocol to do that (digesting < 50 KiB of data isn't that big of a deal given how heavyweight the other crypto bits are).
Regards,