[noise] Test vector format

Trevor Perrin trevp at trevp.net
Wed Apr 6 22:38:53 PDT 2016


Thanks for driving this forward!  Comments:

 - Hex is easier than Base64 for debugging, e.g. it can be useful to
count bytes and recognize that part of the ciphertext is what you
expect, but part is different.

 - Probably also use hex for prologue and psk?

 - Error testing might be better handled by specifying which
particular ciphertext should trigger an error.  For example, have a
"payload": "ERROR" special value, instead of "should_fail".  The test
framework will expect decrypting the corresponding ciphertext to fail.

 - I think I agree with Jonathan that pattern / cipher / hash /
curve-type can be specified once, outside the party-specific blocks.

 - It would be possible to use Noise with non-elliptic-curve DH, so
better to call this "dh" or something, rather than "curve".

About JSON:  I worry about JSON files with large numbers of tests,
since I think streaming APIs for JSON are less common than
document-based APIs.  Also, I worry about someone developing for
embedded systems, or smartcards, or IoT or something, who doesn't have
JSON tools lying around.

Would it be reasonable to make the format JSON-compatible but more
restrictive, to make it easier to consume for dumb streaming parsers,
but still allow consumers to use JSON?  This would make it harder for
producing, but I think the tests will be consumed more than produced.
Also, these restrictions could make the tests more human-readable.

For example, what if every test block had the exact same sequence of
fields prior to the "messages", one per line, with no sub-structures
(unused psk or DH fields could have a special value "EMPTY"):

"vectors": [
{
"name": "arbitrary identifier",
"pattern": "NN",
"dh": "25519",
"cipher": "AESGCM",
"hash": "SHA256",
"init_prologue": "foo",
"init_psk": "bar",
"init_static": "<hex formatted private key data>",
"init_semiephemeral": "<hex formatted private key data>",
"init_ephemeral": "<hex formatted private key data>",
"init_remote_static": "<hex formatted public key data>",
"init_remote_semiephemeral": "<hex formatted public key data>"
"resp_prologue": "foo",
"resp_psk": "bar",
"resp_static": "<hex formatted private key data>",
"resp_semiephemeral": "<hex formatted private key data>",
"resp_ephemeral": "<hex formatted private key data>",
"resp_remote_static": "<hex formatted public key data>",
"resp_remote_semiephemeral": "<hex formatted public key data>"
},
"messages": [
{
"payload": "<hex formatted payload>",
"ciphertext": "<hex formatted ciphertext>"
},
{
"payload": "<hex formatted payload>",
"ciphertext": "<hex formatted ciphertext>"
},
{
"payload": "<hex formatted payload>",
"ciphertext": "<hex formatted ciphertext>"
}
]
}


Trevor


On Wed, Apr 6, 2016 at 6:44 PM, Alex <alex at centromere.net> wrote:
> On Wed, 6 Apr 2016 21:26:41 -0400
> Jonathan Rudenberg <jonathan at titanous.com> wrote:
>
>> What do you think about using Base64 instead of hex for the binary
>> parts?
>>
>
> I'm OK with that.
>
>> I’m unsure about specifying the pattern/cipher/hash/curve separately
>> for both sides of the handshake, it seems like that’s only useful for
>> failure mode testing and would be better suited in local unit tests
>> for the implementation.
>>
>
> I think it would be useful to be able to simulate a MITM in which
> one party has a different remote static key than the one that is
> presented.
>
> --
> Alex
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise


More information about the Noise mailing list