[noise] Hidden fallback

Trevor Perrin trevp at trevp.net
Sat Apr 23 20:00:18 PDT 2016

On Sat, Apr 23, 2016 at 4:43 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> Another concern I have is that the protocol reveals if a fallback has
> occurred or not in the sequence of packets that are exchanged.  Some systems
> may not want to reveal to passive surveillance that a key change has
> occurred, or that the initiator is currently ignorant of the responder's key
> and thus a ripe target for an active MITM.
> I was wondering if it was possible to create a "hidden fallback" pattern
> that encompasses IK, XX, and XXfallback in one pattern.

Yes!  Should be easy:

Use Noise Pipes, but add random data into payloads to pad all
handshake messages to the same size, and do trial encryption instead
of type bytes or other indicators.

Server assumes client's first message is abbreviated handshake (IK),
and tries to decrypt.  If decrypt fails, server assume it's a full
handshake (XX).

If client tried an abbreviated handshake (IK), client assumes first
response was from IK, and tries to decrypt.  If decrypt fails, client
assumes it's a fallback handshake (XXfallback).



More information about the Noise mailing list