dominictarr
commented
9 years ago oh yeah, authentication systems based on dh style key exchange such as noise and TextSecure/Signal https://whispersystems.org/blog/simplifying-otr-deniability/ do suffer KCI, but but the impersonator must have access to the long term key and the ephemeral key. If they compromised they key by say, finding a discarded hard drive in a dumpster after a server upgrade, then they won't know the ephemeral private key. If they have a trojan on that server then it's only slightly more difficult for them to get the ephemeral key - however if they can control the server then all is lost anyway.
OTR https://otr.cypherpunks.ca/Protocol-v2-3.1.0.html
Note client authenticates first (good) but reveals themself to server (bad) and is not required to know server's key before hand (not suitable for capability systems)
Noise https://github.com/trevp/noise/wiki https://github.com/trevp/noise/blob/master/noise.md
handshake is encrypted, but server authenticates first (long term key is revealed to a cold caller). bulk encryption protocol seems to be missing an end packet (attacker could possibly terminate connection without being detected) and when used over tcp the length is sent plain, which could be tampered with and cause a deadlock (on some protocols). Since the client boxes it's confirmation to the server's ephemeral key then it avoids Key Compromise Impersonation. The handshake skips a 4th message because the server does not wait to see if it was authenticated by the client (maybe the client doesn't want to talk to it?)