Tests for Introduction Security Properties
When testing the introduction protocol, it makes sense to use a real MAC and signature, otherwise we're just testing that verification detects an invalid signature/MAC, rather than testing that modifying the response makes the signature/MAC invalid.
It would be good to have tests for the security properties we're trying to provide:
- If the introducer replaces the ephemeral public key, transport properties and/or timestamp and doesn't modify the ack, the protocol is aborted because the MAC fails
- If the introducer replaces the ephemeral public key (and optionally the transport properties and/or timestamp) and modifies the ack to use a nonce and MAC key that match the new ephemeral public key, the protocol is aborted because the signature is invalid