[noise] Implementation: Revision 10 - Noise_IS, with a few deviations
Trevor Perrin
trevp at trevp.net
Fri Oct 16 17:50:17 PDT 2015
On Fri, Oct 16, 2015 at 1:22 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> Note that it makes the following deviations from Trevor's specification:
>
> Blake2b is used instead of SHA2-256 as a HASH function.
>
> For HASH, it is truncated to 32 bytes.
> For HKDF, the full 64 bytes are used.
Seems fine to use Blake2b for HASH, that's just different symmetric
crypto parameters.
I would use the HMAC-HASH output of 32 bytes for HKDF. The HKDF paper
claims good results for truncating a larger hash, so I don't see a
reason to do something different.
> Little endian is used for all fields instead of big endian.
> No explicit outer-length parameter, since the outer and enclosed IP packets
> already have relevent lengths.
No big deal, these are just application responsibilities.
> There is no maximum length limit, though the MTU controls this implicitly.
Is there a reason 65535-byte messages are too short?
> The first handshake message contains a timestamp, to prevent replay attacks,
> as part of its payload.
Not really a deviation, you can put whatever you want in the payload.
Trevor
More information about the Noise
mailing list