[noise] NoiseSocket - next steps

Trevor Perrin trevp at trevp.net
Fri Mar 10 13:24:27 PST 2017


On Fri, Mar 10, 2017 at 1:08 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> Some more comments.
>
> One thing I didn't see was prologues.  The entire first packet with the list
> of protocols being offered, and the selected protocol number, should be
> hashed into the HandshakeState of the final chosen protocol.
>
> Here's the attack scenario: a MITM knows that a target's AESGCM
> implementation is poorly implemented and vulnerable to timing issues.  So
> they modify incoming connection requests to change all "ChaChaPoly"
> protocols into "ChaChaPoli", which forces the target to always select AESGCM
> ciphers.

The idea that was bandied about earlier was to use the list of all
client-offered protocol names as the prologue.

That doesn't bind the message contents for non-chosen client initial
messages, but I think that's OK, though merits a security
consideration (server should only inspect protocol names, not
messages, when choosing which message to respond to).

Tentatively, that still seems like a simple and adequate solution here?

Trevor


More information about the Noise mailing list