[noise] New draft: "916" branch
Trevor Perrin
trevp at trevp.net
Mon Sep 21 00:32:49 PDT 2015
New draft in the "916" branch:
https://github.com/trevp/noise/blob/916/noise.md
I tried to clean up initialization and rewrite some parts for clarity.
I'll merge this soon, let me know if anyone objects.
Substantive changes around initialization:
* Initialization of h and k is changed. Previously it was done with
k = MixKey(name || 0x00 || preshared_key). Now k is set directly to
the preshared_key (which must be empty or 256 bits), and h is set
directly to handshake_name if it's short enough, h =
HASH(handshake_name) otherwise. This is simple and efficient, and
more consistent with keeping secret values in k, and other values in
h.
* Initialization of public keys / keypairs is simplified: Previously
you had to set pre-known remote public keys by processing
"pre-messages". But that would be awkward with pre-shared keys (you'd
have to encrypt the pre-message), and would trigger unnecessary
MixHash() on pre-message payloads. So now remote public keys are
still notated as pre-messages, but you just pass them in to
Initialize(), then call MixHash() on any static public keys.
* The first MixKey() step just does k = HASH(data), instead of k =
KDF(GETKEY(k, n), data). That saves a KDF call and 3-4 SHA256
compression functions in typical usage.
Cosmetic changes:
* Changed V1 -> V0 to emphasize work-in-progress
* Simplified "Overview", added "Message format"
* Refactored the CipherState and HandshakeState objects: there's now
CipherState, SymmetricHandshakeState, and HandshakeState. The
previous CipherState had an ambiguous role: it encapsulated all
symmetric-crypto, including values / methods used only during
handshaking, and not used in the CipherState's role handling transport
messages.
The new CipherState only manages (k, n) and encryption / decryption,
so can be used more cleanly for transport messages. Handshake-relevant
symmetric crypto (h, has_key, mixing) is separated out, which also
makes HandshakeState simpler.
* Clarified handshake names, removed protocol names
* Removed discussion and pseudocode for "dummy statics", it's a
simple concept, and I'm trying to remove clutter.
* Renamed "cipher parameters" -> "symmetric crypto parameters"
* Added some rationale and security considerations
Trevor
More information about the Noise
mailing list