[noise] Branch: "imp"

Trevor Perrin trevp at trevp.net
Sat Nov 7 10:31:57 PST 2015 

I'm finishing up an implementation, which motivated some spec cleanup,
and a few small tweaks:

https://github.com/trevp/noise/blob/imp/noise.md

(Will probably merge this in a couple days, if no objections.)


Substantive changes
--------------------

 - Added notion of a "prologue" byte-sequence.  MixHash(prologue) is
called during initialization:  "may be zero-length, or which may
contain context information that both parties want to confirm is
identical, such as protocol or version negotiation messages sent
previously".

For example, if you have an application-specific string to allow key
reuse while differentiating applications, it can be used as prologue.
Or if you're doing handshake re-initialization based on some
negotiated messages, you could throw those messages into the prologue
to prevent rollback attacks.

 - Changed order of pre-messages so that initiator pre-message is
before responder pre-message.  This makes more sense, since the
initator's first message is before the responder's message.  So for
example, NoiseKK is now:

Noise_KK(s, rs):
    -> s
    <- s
    ------
    -> e, dhes, dhss
    <- e, dhee, dhes

Instead of:

Noise_KK(s, rs):
    <- s
    -> s
    ------
    -> e, dhes, dhss
    <- e, dhee, dhes

 - Changed Noise_IN handshake to send "s, e" in clear instead of "e,
s", for consistency with other patterns sending "s, e".

 - Fixed a mistake in Noise_IX pattern:
   "e, dhee, dhes, dhse" -> "e, dhee, dhes, s, dhse"


Clarifications
---------------

 - Clarified handling of invalid DH public keys ("output may be set to
all zeros or any other value..."); removed the "allowed to abort"
option, better to steer people down one path to avoid implementation
fingerprinting risk.

 - Clarified definition of handshake pattern to include both message
patterns, *and* pre-message patterns for the initiator and responder

 - Expanded discussion of "Noise Pipes".  In particular:
   - The Noise_XXfallback pattern was confusing because initiator and
responder switch roles, but I wasn't changing the arrow directions or
parenthesized-keys to reflect that, so I changed it to be consistent
with other notation.
   - Clarified that Noise pipes should use 1-byte type, 2-byte length,
so that we can get interoperable Noise pipes as the default Noise use.


Clean up pseudocode
--------------------

 - Renamed "SymmetricHandshakeState" -> "SymmetricState"

 - Renamed "WriteHandshakeMessage" / "ReadHandshakeMessage" ->
"WriteMessage" / "ReadMessage"

 - Renamed "descriptors" / "patterns" -> "message patterns" /
"handshake patterns", so we have less jargon

 - Expanded Initialize() function so it handles MixHash() on
pre-message public keys, and stores the handshake pattterns.  This
also simplifies the pseudocode for WriteMessage and ReadMessage.


Trevor

More information about the Noise mailing list