[noise] suitably of using Noise in ICS environment

Trevor Perrin trevp at trevp.net
Fri Apr 29 10:40:28 PDT 2016


On Fri, Apr 29, 2016 at 8:48 AM, Adam Crain <jadamcrain at automatak.com>
wrote:

>
> I have a question regarding how Noise uses AEAD cipher modes to
> authenticate the key agreement. Is this primarily how Noise accomplishes
> "identity hiding"? I.e., all the key agreement payloads would be encrypted,
> thus observers wouldn't see any payload certificates, etc?
>


Hi Adam,

The AEAD during handshake accomplishes a few things, not just identity
hiding, e.g.
 - encrypts and authenticates handshake payloads
 - confirms that the other party has derived the correct keys
 - confirms that the other party has the same view of handshake hash

If you want authentication of data, not confidentiality, I suppose you
could define ENCRYPT() and DECRYPT() in terms of HMAC (which Noise needs
anyways), e.g.

ENCRYPT(k, n, ad, plaintext):
  plaintext || HMAC(k, n || len(ad) || ad || plaintext)


A lot of the Noise patterns defer sending static public keys until they can
do it under encryption, but if that doesn't matter for you, you could
consider patterns where all static public keys are sent in clear, like:

-> e, s
<- e, s, dhee, dhes, dhse


Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160429/036e6ae2/attachment.html>


More information about the Noise mailing list