[noise] Kernel-land C implementation of latest noise specification
Trevor Perrin
trevp at trevp.net
Tue Jul 7 13:00:20 PDT 2015
On Mon, Jul 6, 2015 at 6:19 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> With all that said, I'd like to share, privately, with some of the
> readers of this list the current state of the project, because it
> includes a noise implementation (HandshakeIK).
Cool!
> There are a few things different from the actual noise specification:
I'm curious about these variations, and whether they can be
implemented "on top" of the core spec.
> - I use blake2b instead of HMAC-SHA2-256 and SHA2-256 (blake2b has two
> modes - key'd and unkey'd)
This is just a different ciphersuite, where you define a BLAKE2b-based
KDF and HASH?
> - I include a packed and encrypted TAIA timestamp in the initial handshake
The timestamp is just included in the payload, I hope?
> - Rather than the prologue containing a length field, I simply have a
> "type" field which is a u8 containing the type of message -
> handshake-step-X, data, etc
So how do you handle the prologue? Did you remove it, or do you just
assume its zero-length?
Can type be inferred by the order of messages?
Did you consider encoding type inside the prologue? This way the type
will be included in the authenticated data, as well as any other
cleartext data you might need to negotiate in future.
Trevor
More information about the Noise
mailing list