[noise] New draft for "chain-of-DH" approach
Trevor Perrin
trevp at trevp.net
Sat Jun 13 18:42:26 PDT 2015
https://github.com/trevp/noise/blob/master/noise.md
I'm liking the "chain-of-DHs" more than the older "boxes/pipes", so
I've tried to flesh it out. I'd also like to get something simple and
useable done fairly quickly, we can add features later, but this has
dragged on for too long...
Please send feedback! Particularly: how close this is to different
use cases, unclear points, crypto flaws, etc.
More details:
- "Prologue" added to handle versioning and negotiation.
- "Pre-messages" added to handle prior knowledge of the other party's
keys in a consistent way.
- "Splitting sessions" added to terminate the handshake phase and
switch to duplex streams.
- Interface between ciphersuites and main protocol made simpler,
though the ciphersuite designer has to be careful about key reuse.
- Fleshed out and renamed the Box / Handshake protocols, they now
cover all combinations of (none / known / transmitted) static keys,
and have a "quad" option to add the static-static DH.
- Padding removed. The calling app will need to decide on it
anyways, so it doesn't need to be in this layer.
- "Nonce" descriptor removed, so Noise can no longer safely do a
static-static NaCl box unless you use a ciphersuite with explicit
nonces. In all other cases randomization is handled with ephemeral
keys. I think this is OK since NaCl already exists, I'd rather steer
people towards ephemeral keys, and this makes things simpler.
- Doesn't support pre-keys or signatures currently. Let's see if
this core is useable before adding too much.
Trevor
More information about the Noise
mailing list