[noise] NLS?

Trevor Perrin trevp at trevp.net
Sun Mar 11 17:49:50 PDT 2018


On Sun, Mar 11, 2018 at 10:15 PM, Gerardo Di Giacomo <gedigi at live.com> wrote:
>
> 1) In NLS you have: "If the responder accepts the initiator's initial_protocol, the response negotiation_data is zero-length (according to NoiseSocket).” Currently the negotiation data for both initiator and receiver is saved in the Prologue. If the negotiation data for the responder has to be zero-length, and therefore the Prologue is empty, then the handshake will fail, as "If both parties do not provide identical prologue data, the handshake will fail due to a decryption error.” Currently, with the go implementation of NS, the responder replays the same negotiation data + its noise message to the initiator.

In the Accept case, the prologue that both parties use is:

"NoiseSocketInit1" || init_negotiation_data_len || init_negotiation_data

Where init_negotiation_data refers to the initiator's first message.

At least that's how it's spec'd.  Hopefully that's what the Golang code does?


> 2) For NS, the Prologue’s initial string was NoiseSocketInit1/2/3 according to where you were in the handshake (accept, switch, retry). So if, as initiator, I received a Init2, I knew I had to read more bytes because I knew I was going to receive the responder’s negotiation data as a “fourth” packet (1- NoiseSocketInit2, 2- negdata(len+content), 3- noise(len+content), 4- Rnegdata(len+content)). With NLS you have the same initial string "NLS(revision1)”, and since the responder’s first three packets are basically the same, as a initiator I don’t know if I have to read the 4th packet containing responder's negotiation data or the responder accepted the protocol.

Not sure what you mean by "received a Init2".  The prologue labels
"NoiseSocketInit1" etc aren't sent on the wire.  The prologue is just
an input to hashing, it's not transmitted.

After sending it's initial messages, the initiator will receive a
single NoiseSocket response message, containing some negotiation_data
(might be zero-length) and a Noise message (might be zero-length).

If the negotiation_data is zero-length, that means the responder
accepted the initiator's initial_protocol.  If the negotiation_data is
non-zero-length, it contains a NoiseLingoNegotiationDataResponse
protobuf, which the initiator parses to determine whether this is a
Switch, Retry, or Reject case.

Hope that helps?

Trevor


More information about the Noise mailing list