[noise] Termination

Alex alex at centromere.net
Fri Apr 22 15:53:43 PDT 2016

On Sat, 23 Apr 2016 08:08:41 +1000
Rhys Weatherley <rhys.weatherley at gmail.com> wrote:

> We have packet types 0 and 1 with defined meanings for XXfallback.
> Maybe we need a packet type 2 for "will no longer send data in this
> direction"? The packet content is the output of EncryptWithAd() for
> the final nonce value, ad, and payload.  When a type 2 packet is
> received, the receiver will authenticate it, flag the direction as
> properly terminated, and then any further traffic will raise an
> error.  Maybe add EncryptFinalWithAd() and DecryptFinalWithAd()
> functions to CipherState to formalize it?

Despite being described in section 9.2, I think Noise Pipes fall
outside the scope of the spec in terms of what is normative. The way I
interpret it, Noise Pipes are just an example of a higher level
protocol an application could define.

> It is necessary for applications to get the details right.  For
> example, the packet type (0, 1, or 2) for all packets must be
> included in the "ad" to prevent MITM spoofing of an early session end
> by modifying the packet type on an earlier packet.

"all packets" -- Handshake messages, Transport messages, or both? Why
can't this type of signaling be done inside the payload?


More information about the Noise mailing list