[noise] suitably of using Noise in ICS environment

Adam Crain jadamcrain at automatak.com
Mon May 2 08:46:38 PDT 2016

Thanks Trevor, this makes sense to me that you can substitute HMAC for AEAD
anywhere you use symmetric keys. In so doing, we get to use the nice
handshake protections of Noise, but can keep the handshake metadata and
session encrypted for our niche application.


On Fri, Apr 29, 2016 at 1:40 PM, Trevor Perrin <trevp at trevp.net> wrote:

> On Fri, Apr 29, 2016 at 8:48 AM, Adam Crain <jadamcrain at automatak.com>
> wrote:
>> I have a question regarding how Noise uses AEAD cipher modes to
>> authenticate the key agreement. Is this primarily how Noise accomplishes
>> "identity hiding"? I.e., all the key agreement payloads would be encrypted,
>> thus observers wouldn't see any payload certificates, etc?
> Hi Adam,
> The AEAD during handshake accomplishes a few things, not just identity
> hiding, e.g.
>  - encrypts and authenticates handshake payloads
>  - confirms that the other party has derived the correct keys
>  - confirms that the other party has the same view of handshake hash
> If you want authentication of data, not confidentiality, I suppose you
> could define ENCRYPT() and DECRYPT() in terms of HMAC (which Noise needs
> anyways), e.g.
> ENCRYPT(k, n, ad, plaintext):
>   plaintext || HMAC(k, n || len(ad) || ad || plaintext)
> A lot of the Noise patterns defer sending static public keys until they
> can do it under encryption, but if that doesn't matter for you, you could
> consider patterns where all static public keys are sent in clear, like:
> -> e, s
> <- e, s, dhee, dhes, dhse
> Trevor


J Adam Crain - Partner


PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160502/4ea61cc0/attachment.html>

More information about the Noise mailing list