<div dir="ltr"><div><div><div><div><div><div><div><div>Hi all,<br><br></div>I'm working on a project with some electric utilities to develop a cryptographic wrapper that can be used with existing serial channels (point to multi-point 900 mhz radio as an example). We'll have to design a framing layer that handles things like addressing and error detection.<br><br></div>We've been looking at Noise as a candidate for the crystallographic layer as it seems to be well designed, makes efficient use of bytes, and uses modern primitives that will be efficient in a low-bandwidth environment.<br><br></div>Utiltity environment(s) are a bit different from standard IT in that we don't care about confidentiality of the information protected by our protocol (i.e. our session need only be authenticated). We want NSM tools to be able to see everything that is going on, and who is talking to who, without having to spread credentials around haphazardly. With that said, we'd likely only be using the key agreement part of Noise, and not using encryption for the session.<br><br></div>I have a question regarding how Noise uses AEAD cipher modes to authenticate the key agreement. Is this primarily how Noise accomplishes "identity hiding"? I.e., all the key agreement payloads would be encrypted, thus observers wouldn't see any payload certificates, etc? I believe that in our use case this is actually a downside. We'd want this metadata to be as visible as possible on our private network. I just want to make sure there isn't something I'm missing about the design of the key agreement authentication other than the identity hiding benefits. Given that we explicitly want as much identity metadata to be visible as possible, I think we'd be better off using some kind of modern DSA like Ed25519 for key-agreement authentication.<br><br></div>What I really like about Noise's design is the hashing scheme that provides protection from downgrade attacks, etc, i.e. that everything in the handshake is authenticated. Do you see any straight forward way we could modify the design to use a DSA?<br><br></div>Many thanks for any insights you can provide.<br><br></div>Regards,<br></div>Adam<br clear="all"><div><div><div><div><div><div><div><div><div><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><pre style="white-space:pre-wrap">J Adam Crain - Partner</pre><pre style="white-space:pre-wrap"><a href="http://www.automatak.com" style="font-family:arial,sans-serif;font-size:12.666666984558105px" target="_blank"><img src="http://www.automatak.com/images/automatak_letter_logo.png" height="14" width="96"></a><br></pre><pre style="white-space:pre-wrap">PGP 4096R/<a href="https://www.automatak.com/keys/jadamcrain.asc" style="color:rgb(17,85,204)" target="_blank">E2984A0C</a> 2013-05-03</pre></div></div></div></div></div></div>
</div></div></div></div></div></div></div></div></div></div>