First I just wanted to say: Thank you for this library! =)
I also want to ask a short question:
I want to make use of crypto_kx_*() for encryption within a lightweight UDP protocol (Layer A). So far I know how that works. There is only one thing: How can I validate the peer (man-in-the-middle)? I thought about moving that from Layer A to Layer B, where client and server have a secret which is the same for both sides, such like an API key. It is then validated using nonce + hash(nonce, secret) to not transmit the secret itself. This way, a man-in-the-middle can be prevented.
However, an additional authentication packet is needed for that, thus, it would be interesting to have that done already within crypto_kx_*(). Is there a safe way to use that secret, such as hashing of the client/server read/write keys with the secret?
First I just wanted to say: Thank you for this library! =)
I also want to ask a short question:
I want to make use of
crypto_kx_*()
for encryption within a lightweight UDP protocol (Layer A). So far I know how that works. There is only one thing: How can I validate the peer (man-in-the-middle)? I thought about moving that from Layer A to Layer B, where client and server have a secret which is the same for both sides, such like an API key. It is then validated usingnonce + hash(nonce, secret)
to not transmit the secret itself. This way, a man-in-the-middle can be prevented.However, an additional authentication packet is needed for that, thus, it would be interesting to have that done already within
crypto_kx_*()
. Is there a safe way to use that secret, such as hashing of the client/server read/write keys with the secret?