[noise] Implementation: Revision 10 - Noise_IS, with a few deviations

Trevor Perrin trevp at trevp.net
Fri Oct 16 17:50:17 PDT 2015


On Fri, Oct 16, 2015 at 1:22 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> Note that it makes the following deviations from Trevor's specification:
>
> Blake2b is used instead of SHA2-256 as a HASH function.
>
> For HASH, it is truncated to 32 bytes.
> For HKDF, the full 64 bytes are used.

Seems fine to use Blake2b for HASH, that's just different symmetric
crypto parameters.

I would use the HMAC-HASH output of 32 bytes for HKDF.  The HKDF paper
claims good results for truncating a larger hash, so I don't see a
reason to do something different.


> Little endian is used for all fields instead of big endian.
> No explicit outer-length parameter, since the outer and enclosed IP packets
> already have relevent lengths.

No big deal, these are just application responsibilities.


> There is no maximum length limit, though the MTU controls this implicitly.

Is there a reason 65535-byte messages are too short?


> The first handshake message contains a timestamp, to prevent replay attacks,
> as part of its payload.

Not really a deviation, you can put whatever you want in the payload.

Trevor


More information about the Noise mailing list