[noise] NoisePSK

Trevor Perrin trevp at trevp.net
Thu Nov 12 00:12:29 PST 2015


Jason and others want PSK support.  I suggested using pre-shared
ephemerals and then starting the first message's pattern with dhee.
Jason pointed out this could reuse k and n for encrypting the
initiator's first ephemeral, which breaks the security of that
encryption.  One could argue that encryption of this ephemeral isn't
important, but a user who configures a PSK would reasonably expect
*everything* to be protected with that PSK going forward.

The issue is that Noise doesn't use explicit random values to prevent
key reuse (like TLS ClientRandom / ServerRandom).  Instead, Noise
relies on unique-per-handshake ephemerals, but that doesn't work for
encrypting the ephemerals themselves.

One idea is to have "NoisePSK" handshakes which differ from "Noise"
handshakes in two ways:
 (1) A "preshared_key" value is mixed into SymmetricState, e.g.

Initialize():
    # handle handshake_name = NoisePSK_[???], prologue
    psk1, psk2 = HKDF(preshared_key, empty)
    MixKey(psk1)
    MixHash(psk2)
    ...

 (2) The initiator and responder's first messages begin with a 32-byte
random field, and MixKey(random) is called on it, before processing
the rest of the message.

This way, security from DH and PSK would be additive:  even if all DH
stuff is insecure you get security from PSK, and vice versa.

The explicit random fields are potentially useful outside of preshared
keys, in cases where you want to reuse DH keys without a fresh
ephemeral.  For example a NaCl crypto_box is basically a static-static
DH plus a 24-byte random field.

So we could consider allowing explicit nonces without PSK, but I think
it's simpler to not have so many options and just package these
together: If you want a NaCL-box equivalent, you can do something
like:

NoisePSK_S(s, rs):
 -> s
 <- s
 ------
 -> dhss

with zero-length PSK.  Note this is an invalid "Noise" pattern due to
lack of ephemerals, but is OK with "NoisePSK".

Thoughts?

Trevor


More information about the Noise mailing list