[noise] Hidden fallback

Alex alex at centromere.net
Sat Apr 23 17:43:06 PDT 2016

On Sun, 24 Apr 2016 09:43:23 +1000
Rhys Weatherley <rhys.weatherley at gmail.com> wrote:

> WriteMessage() is modified to include:
> * For "dhes-fallback":
>   - Save the current chaining key.
>   - Call MixKey(DH(e, rs))
>   - Appends EncryptAndHash(empty) to the buffer.
>   - Do not perform EncryptAndHash(payload).  The payload must be
> empty.

One thing I am very happy about with Noise is that it is well
encapsulated. For example, tokens don't know about the existence of the
payload, and from the perspective of write/readMessage, tokens are
basically opaque operations which mutate a SymmetricState/buffer/key
set. The resulting logic is then:

1. Run the tokens,
2. EncryptAndHash/DecryptAndHash(payload), and
3. Split() if necessary.

This design choice has led to an elegant design pattern in cacophony,
whereby I can represent every single handshake pattern as a series of
primitive operations in a DSL[0]. The interpreter for this DSL is very
straightforward. Even someone who has never seen Haskell before can
verify that the patterns are correct.

I fear that your changes would emulsify the protocol stack. By making
the protocol say, "Perform EncryptAndHash(payload) for all tokens
EXCEPT this one", it adds special cases and exceptions that make the
code more complex and more difficult to audit.


[0] https://github.com/centromere/cacophony/blob/master/src/Crypto/Noise/HandshakePatterns.hs#L44

More information about the Noise mailing list