[noise] New revision: "noh2" branch, revision 3

Trevor Perrin trevp at trevp.net
Tue Sep 1 09:10:41 PDT 2015


On Tue, Sep 1, 2015 at 6:12 AM, Tiffany Bennett <tiffany at stormbit.net> wrote:
> I don't like the 65536 byte message length limit.

65535, to fit a uint16 length field.


> It introduces an
> unnecessary number of additional messages into a noise box, and I
> don't see much reason for it. Chacha and AES-GCM are already
> random-access, so you don't need to parcel the message into chunks in
> order to read only a part of it, you just have to check the
> authenticator tag.

The ciphers are random-access, but authentication only occurs at end.
So streaming or random-access implementations will be tempted to
access unauthenticated ciphertext, which is a security flaw.

Adam Langley has griped about this.  Preventing that mistake is one goal here:

https://www.imperialviolet.org/2015/05/16/aeads.html
https://www.imperialviolet.org/2014/06/27/streamingencryption.html


> If you do actually need to access only a part of a
> message, then it might make more sense to use a Merkle tree.

I don't think that's necessary, here?


> Chunked
> messages can still be used, but I don't think there should be an
> enforced maximum size.

Other reasons:

Small-ish messages makes it easier to exhaustively test the Noise core
for all message sizes, and easier to test splitting large files into
messages (as the splitting will be triggered all the time, instead of
in rare cases).

And forcing all Noise messages to use the same-size length field
increases the chances for interop.


>From rationale section:
"""
Noise messages are <= 65535 bytes because:

 * This allows streaming decryption of large files without having to
hold the entire file in memory
 * This simplifies testing and reduces memory or overflow errors in
handling large messages
 * This restricts length fields to 16 bits - the overhead of larger
length fields might cost something for small messages, but the
overhead of smaller length fields is insignificant for large messages.
"""

Trevor

>
> On Tue, Sep 1, 2015 at 4:38 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> https://github.com/trevp/noise/blob/noh2/noise.md
>>
>> Based partly on discussions with Tiffany and Jason, I moved the type /
>> length fields out of the core protocol into a section on "Application
>> Responsibilities".
>>
>> I'm changing my mind on this partly because it enables other
>> simplifications - since the Session object is no longer responsible
>> for framing transport messages it now only has a role in the
>> Handshake, so I renamed it to HandshakeState and use the kernel
>> directly for transport messages (renaming the kernel to CipherState).
>>
>> But I think this is a sensible division in other ways - e.g. the
>> framing data isn't cryptographically important, so it's better to keep
>> the "trusted base" of crypto code as simple as possible.
>>
>> Note this isn't "substantive" - doesn't affect bytes on wire.  But I
>> also simplified naming for handshakes and protocols, which does
>> substantively affect Noise Pipes.
>>
>> Other presentation changes:
>>  - Added "Application Responsibilities" section to discuss framing,
>> termination, extensions, padding
>>  - Changed Session object to a HandshakeState and Kernel to a
>> CipherState - after the Handshake the CipherState is used directly to
>> encrypt, instead of keeping the Session around
>>  - More renaming: DH functions / cipherset -> DH parameters, cipher
>> parameters, EncryptHandshakeData -> ConditionalEncryptAndMixHash
>>  - Rewrote overview
>>
>> Trevor
>> _______________________________________________
>> Noise mailing list
>> Noise at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/noise
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise


More information about the Noise mailing list