[noise] STROBE lite v0.2
Michael Hamburg
mike at shiftleft.org
Fri Oct 16 18:02:30 PDT 2015
Hello Noisy folk,
I’ve been working for a while on a protocol framework based on Noise and also BLINKER, called "STROBE lite". It is designed to be used for IOT and other constrained devices in place of more complex protocols such as TLS. I believe that the design is now ready for its first real public release, v0.2.
The design is lightweight, weighing in under 2kiB of code and a couple hundred bytes of stack on ARM-Thumb2 last I checked. It isn’t fast, but it isn’t horribly slow either. Maybe 250 CPB on an M3.
The goal is to use a sponge construction (Keccak-F[800] should run well on 32-bit micros) for all the symmetric crypto in a given system. This reduces the code size and memory consumption, and considerably simplifies the protocol design and code. For example, if you look at the long-running discussion on prehash and hash modes for EC signatures on CFRG right now, things are much simpler here: the framework has a Schnorr signature operation which is performed on the state of the protocol (or symmetric cryptosystem), so it requires no prehash, it takes all context into account, and it requires no additional hash functions.
Other exciting features:
* You can use this framework for other things, like code signing, static encryption, random number generation and key diversification. Of course, you could do these things with other symmetric libraries, but it’s really straightforward with STROBE lite.
* For complex protocols (TLS replacements), version fallbacks are handled gracefully and with minimal risk of a downgrade vulnerability.
* It is trivial to encrypt handshake messages, such as certificates, just as Noise does.
* There is a rough outline for how to modify the protocol for full steganographic mode (length padding, etc).
* Consideration is given to protocol-level DPA resistance.
Weaknesses:
* This design isn’t very good for asynchronous protocols. You can implement Axolotl using this as the symmetric crypto, but it’s not going to be much simpler than Axolotl itself.
* Not standard, obviously.
* Not super fast without hardware acceleration, and not parallelizable. Thus, this is primarily for lightweight applications.
* Only on version 0.2; may contain bugs.
Documentation and Python sample code are at: https://github.com/bitwiseshiftleft/strobelite/ <https://github.com/bitwiseshiftleft/strobelite/>
Please tell me what you think.
Cheers,
— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151016/b0a02f94/attachment.html>
More information about the Noise
mailing list