[noise] Rev30 branch
Trevor Perrin
trevp at trevp.net
Fri Jul 1 23:23:32 PDT 2016
I expanded the discussion on "Variant patterns for Noise Pipes" (9.3)
and "Semi-static keys for Noise Pipes" (9.4):
https://github.com/noiseprotocol/noise_spec/compare/master...rev30
https://github.com/noiseprotocol/noise_spec/blob/rev30/noise.md
https://github.com/noiseprotocol/noise_spec/blob/rev30/output/noise.pdf
I like the clarifications and tweaks here, so I may publish revision
30 on Monday.
SUBSTANTIVE CHANGES:
* "s, e" premessage pattern changed to "e, s". Reasons below, but no
existing handshake patterns use this, so it shouldn't affect anything.
* Some clarification on combining PSK with Noise Pipes, but no-one
was doing this, so it also shouldn't affect anything.
---
For the variant patterns, I specified what I think should be the main
alternatives and their fallback patterns. Fallback patterns are
handled as "transformations" of the full handshake pattern. That's
probably the best way to handle new patterns, so I rewrote 8.6 to
discuss another transformation ("noidh" for "no identity hiding"),
both as another example, and because we need "IKnoidh" for the
IX/IKnoidh Pipe variant.
---
While working through fallback patterns, I realized these don't
clearly comply with the "Pattern Validity" rule to always send an
ephemeral public key before sending data (they send an ephemeral
pre-message, instead).
That rule is to ensure PSK-derived keys are randomized to prevent
against key reuse. It's not important with any existing patterns,
because the presence of DHs alongside PSK is sufficient to randomize
things, but you could imagine a contrived compound protocol that
doesn't do any DHs in the first round-trip, which would be insecure
when used with PSK.
So I added a notion of "dependent" patterns that depend on a
pre-message ephemeral. Dependent patterns are only for use in
compound protocols, and have to comply with additional rules:
- Call MixKey() on the pre-message ephemeral(s), if there's a PSK
- The pre-message ephemeral(s) can't be used in two protocols with
the same name
---
I changed the pre-message pattern to "e, s" instead of "s, e", so that
the IX pattern (which starts with "e, s") can be transformed into a
fallback, and because it's more consistent in general.
This doesn't affect any existing patterns. It does affect some of the
old semi-ephemeral patterns we took out, but those are gone, and we're
taking more of a "semi-static" approach instead of creating new
semi-ephemeral patterns anyways.
Trevor
More information about the Noise
mailing list