<div dir="auto">Thats why testing is important! It is good that you picked up an error even if it was mistaken... For an earlier release we had a machine readable list, it would be nice if we could automate more of the spec generation from a base list of patterns.</div><br><div class="gmail_quote"><div dir="ltr">On Thu, 24 May 2018, 20:30 Nadim Kobeissi, <nadim@symbolic.software> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks, sorry about that!<br>
<br>
Nadim Kobeissi<br>
Symbolic Software • <a href="https://symbolic.software" rel="noreferrer noreferrer" target="_blank">https://symbolic.software</a><br>
Sent from office<br>
<br>
On Thu, May 24, 2018 at 8:30 PM Justin Cormack<br>
<<a href="mailto:justin@specialbusservice.com" target="_blank" rel="noreferrer">justin@specialbusservice.com</a>><br>
wrote:<br>
<br>
> You are missing the fourth line with se on that pattern<br>
<br>
> On Thu, 24 May 2018, 18:51 Nadim Kobeissi, <nadim@symbolic.software><br>
wrote:<br>
<br>
>> Hello everyone,<br>
<br>
>> I just noticed something:<br>
<br>
>> X1X1:<br>
>> -> e<br>
>> <- e, ee, s<br>
>> -> es, s<br>
>> <-<br>
>> -><br>
<br>
>> In this pattern, a static key is sent by the initiator (in the third<br>
>> message) and never used. According to Katriel's suggestion of<br>
invalidating<br>
>> Noise Handshake Patterns that would send unused key shares, this<br>
>> description of X1X1 would be invalid.<br>
<br>
>> What should be done? Modify X1X1, or annul Katriel's proposed<br>
restriction?<br>
<br>
>> Nadim Kobeissi<br>
>> Symbolic Software • <a href="https://symbolic.software" rel="noreferrer noreferrer" target="_blank">https://symbolic.software</a><br>
>> Sent from office<br>
>> On Thu, May 24, 2018 at 7:30 PM Nadim Kobeissi <nadim@symbolic.software><br>
>> wrote:<br>
<br>
>> > Dear Trevor,<br>
<br>
>> > Here is the exact text of the grades in question in today's Noise<br>
>> > specification:<br>
<br>
>> > Authenticity grade 1: "Sender authentication vulnerable to<br>
key-compromise<br>
>> > impersonation (KCI). The sender authentication is based on a<br>
static-static<br>
>> > DH ("ss") involving both parties' static key pairs. If the recipient's<br>
>> > long-term private key has been compromised, this authentication can be<br>
>> > forged. Note that a future version of Noise might include signatures,<br>
>> which<br>
>> > could improve this security property, but brings other trade-offs."<br>
<br>
>> > Authenticity grade 2: "Sender authentication resistant to<br>
key-compromise<br>
>> > impersonation (KCI). The sender authentication is based on an<br>
>> > ephemeral-static DH ("es" or "se") between the sender's static key pair<br>
>> and<br>
>> > the recipient's ephemeral key pair. Assuming the corresponding private<br>
>> keys<br>
>> > are secure, this authentication cannot be forged."<br>
<br>
>> > The issue lies in that the above two paragraphs do not specify whether<br>
>> > there is an opening for a malicious principal to mess with things.<br>
Observe<br>
>> > message C in the following two results:<br>
<br>
>> > <a href="https://noiseexplorer.com/patterns/KN.noise.html" rel="noreferrer noreferrer" target="_blank">https://noiseexplorer.com/patterns/KN.noise.html</a><br>
>> > <a href="https://noiseexplorer.com/patterns/IK.noise.html" rel="noreferrer noreferrer" target="_blank">https://noiseexplorer.com/patterns/IK.noise.html</a><br>
<br>
>> > In IK, message C is resistant to key compromise impersonation even if<br>
its<br>
>> > sender (the initiator) negotiates a separate session in parallel with a<br>
>> > compromised principal Charlie, who is controlled by the attacker<br>
>> > unbeknownst to the sender.<br>
<br>
>> > In KN, message C is also resistant to key compromise impersonation, but<br>
>> > unlike message C in IK, this property does not hold if Charlie also<br>
enters<br>
>> > the fray in a similar manner.<br>
<br>
>> > In the current Noise specification, both KN and IK are given the<br>
similar<br>
>> > grade for authenticity. That is the problem and the reason for the<br>
>> expanded<br>
>> > authenticity grading system. In Noise Explorer's system, grades 3 and 4<br>
>> > essentially are short hand for "1 and 2 but with maintained key<br>
compromise<br>
>> > impersonation resistance even when negotiating with a compromised<br>
>> > principal."<br>
<br>
>> > Now, I understand your suggestion with regards to pairing these grades<br>
>> with<br>
>> > corresponding confidentiality queries, but this raises two questions<br>
in my<br>
>> > mind:<br>
<br>
>> > 1. The confidentiality queries in question are written and formalized<br>
to<br>
>> > deal with message secrecy and forward secrecy two properties that do<br>
not<br>
>> at<br>
>> > all touch upon authenticity. Shouldn't we strive to therefore working<br>
on<br>
>> > separating these properties formally?<br>
<br>
>> > 2. There is also the question of reduced precision. Instead of having<br>
>> > authenticity grades "1, 3-5" and grade "2, 3-5", why not settle for a<br>
>> > system where we obtain precise grades for authenticity, independently<br>
from<br>
>> > having to look at a confidentiality/message secrecy/forward secrecy<br>
>> result?<br>
<br>
>> > Nadim Kobeissi<br>
>> > Symbolic Software • <a href="https://symbolic.software" rel="noreferrer noreferrer" target="_blank">https://symbolic.software</a><br>
>> > Sent from office<br>
>> > On Thu, May 24, 2018 at 6:10 PM Trevor Perrin <<a href="mailto:trevp@trevp.net" target="_blank" rel="noreferrer">trevp@trevp.net</a>> wrote:<br>
<br>
>> > > On Thu, May 24, 2018 at 12:05 PM, Nadim Kobeissi<br>
>> > > <nadim@symbolic.software> wrote:<br>
>> > > > Hello everyone,<br>
>> > > > I've been following up on all of these discussions very closely,<br>
but<br>
>> > have<br>
>> > > > not said anything because I've been working furiously on getting<br>
all<br>
>> the<br>
>> > > > formal results for all 22 deferred patterns *with* two "tokenless"<br>
>> > messages<br>
>> > > > out. I'm afraid that with the addition of two "tokenless" messages<br>
to<br>
>> > every<br>
>> > > > single model, the cost of verification increases dramatically.<br>
Things<br>
>> > are<br>
>> > > > still going to take quite a long time -- I wish we weren't nearing<br>
>> > June, at<br>
>> > > > least I'd have a use for the free radiators I now have in my<br>
apartment<br>
>> > due<br>
>> > > > to this -- quite a lot of finely tuned dedicated hardware is now<br>
>> dealing<br>
>> > > > with the formal verification load.<br>
>> > > ><br>
>> > > > An important clarification: Trevor says the following:<br>
>> > > >> Thinking more on rev34, it would probably be irresponsible to<br>
publish<br>
>> > > >> *without* security tables for all the deferred patterns... So I'd<br>
>> > > >> love to work out how to get your output processed into some tables<br>
>> > > >> like the current ones (or possibly changed around a bit,<br>
depending on<br>
>> > > >> that discussion). Or really: for you to work that out, so I could<br>
>> > > >> just copy-and-paste :-)....<br>
>> > > ><br>
>> > > > Trevor, the security tables for 20 of the deferred patterns are<br>
>> already<br>
>> > > > available on Noise Explorer's website. They simply do not include<br>
the<br>
>> > > > "tokenless" messages. Just a note in the event that you missed<br>
that.<br>
>> :-)<br>
>> > > ><br>
>> > > > Regarding the discussions on security properties, I'm personally<br>
>> > currently<br>
>> > > > satisfied with the recognition that any deferred pattern that opens<br>
>> up a<br>
>> > > > potential UKS attack will simply never qualify towards authenticity<br>
>> > grades<br>
>> > > > 3 and 4 (as defined by Noise Explorer) and will always be<br>
restricted<br>
>> to<br>
>> > a<br>
>> > > > maximum of 1 or 2 (as defined by Noise Explorer, see my previous<br>
email<br>
>> > > > where I list a "very quick summary" of the additions to the<br>
>> authenticity<br>
>> > > > properties.)<br>
<br>
>> > > Hmm, the way I think about it, no patterns should ever open up a<br>
>> > > potential UKS attack? Also, the deferred patterns should end up with<br>
>> > > the same properties as their corresponding fundamental pattern, since<br>
>> > > they perform the same operations.<br>
<br>
>> > > Looking more closely at your numeric grades, I think your two new<br>
>> > > authentication grade numbers just correspond to the Noise<br>
>> > > authentication grades 0-2, except you use 2 new numbers based on the<br>
>> > > confidentiality grade it's being paired with:<br>
<br>
>> > > ("NE" for Noise Explorer):<br>
<br>
>> > > NE 0 -> spec(0, 0-2)<br>
>> > > NE 1 -> spec(1, 0-2)<br>
>> > > NE 2 -> spec(2, 0-2)<br>
>> > > NE 3 -> spec(1, 3-5)<br>
>> > > NE 4 -> spec(2, 3-5)<br>
<br>
>> > > In other words, I don't think these new NE grades encode new<br>
>> > > information. So I'm not yet convinced they improve things versus the<br>
>> > > Noise spec's system, seems like we could map your 3->1, and your<br>
4->2,<br>
>> > > and bring things into alignment?<br>
<br>
>> > > Trevor<br>
>> _______________________________________________<br>
>> Noise mailing list<br>
>> <a href="mailto:Noise@moderncrypto.org" target="_blank" rel="noreferrer">Noise@moderncrypto.org</a><br>
>> <a href="https://moderncrypto.org/mailman/listinfo/noise" rel="noreferrer noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/noise</a><br>
</blockquote></div>