[noise] suitably of using Noise in ICS environment

Adam Crain jadamcrain at automatak.com
Fri Apr 29 08:48:40 PDT 2016

Hi all,

I'm working on a project with some electric utilities to develop a
cryptographic wrapper that can be used with existing serial channels (point
to multi-point 900 mhz radio as an example). We'll have to design a framing
layer that handles things like addressing and error detection.

We've been looking at Noise as a candidate for the crystallographic layer
as it seems to be well designed, makes efficient use of bytes, and uses
modern primitives that will be efficient in a low-bandwidth environment.

Utiltity environment(s) are a bit different from standard IT in that we
don't care about confidentiality of the information protected by our
protocol (i.e. our session need only be authenticated).  We want NSM tools
to be able to see everything that is going on, and who is talking to who,
without having to spread credentials around haphazardly. With that said,
we'd likely only be using the key agreement part of Noise, and not using
encryption for the session.

I have a question regarding how Noise uses AEAD cipher modes to
authenticate the key agreement. Is this primarily how Noise accomplishes
"identity hiding"? I.e., all the key agreement payloads would be encrypted,
thus observers wouldn't see any payload certificates, etc? I believe that
in our use case this is actually a downside. We'd want this metadata to be
as visible as possible on our private network. I just want to make sure
there isn't something I'm missing about the design of the key agreement
authentication other than the identity hiding benefits. Given that we
explicitly want as much identity metadata to be visible as possible, I
think we'd be better off using some kind of modern DSA like Ed25519 for
key-agreement authentication.

What I really like about Noise's design is the hashing scheme that provides
protection from downgrade attacks, etc, i.e. that everything in the
handshake is authenticated.  Do you see any straight forward way we could
modify the design to use a DSA?

Many thanks for any insights you can provide.



J Adam Crain - Partner


PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160429/a21839b3/attachment.html>

More information about the Noise mailing list