[noise] Noise_XR

Trevor Perrin trevp at trevp.net
Thu May 12 08:45:19 PDT 2016 

On Thu, May 12, 2016 at 1:27 AM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Thu, May 12, 2016 at 2:34 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> On further thought, XR and SIGMA-R aren't that useful.  They're almost
>> the same as if the initiator just asked the responder to initiate an
>> XX handshake.
>
>
> Except for the responder identity hiding.  There may be a use for the
> responder being able to terminate the session with "Nope - not talking to
> you" when the initiator identifies themselves and are not on an approved
> whitelist.  For example, a VPN ingress point on a company network for roving
> employees.
>
> The responder will often be an unattended server running on a port, subject
> to potentially millions of automated hack attempts.  The less the responder
> reveals about themselves to unknown entities before aborting the connection,
> the better.  XR is the only pattern with this property.


I didn't explain well enough.

Instead of Noise_XR, imagine the client sends an (unauthenticated)
message to the server asking the server to initiate a Noise_XX
handshake.

This just interchanges the initiator and responder roles, so it still
accomplishes "server identity hiding" like Noise_XR would.

The only difference is that in Noise_XR the server's first message
could be encrypted with a dhee, but since there's no authentication to
this encryption, it doesn't have much value.


> Rather than focusing on the patterns or the SIGMA-whatever, I would focus on
> the use cases.  What are the top 5 use cases for Noise and what are the best
> patterns to accomplish each with various initiator/responder privacy
> trade-offs?  Live chat, VPN's, file encryption, ... ?
>
> I don't in principle have a problem with removing XR, but there may be other
> patterns that are equally unhelpful.

The other 12 interactive patterns flesh out the (No key / Known key /
Xmitted key / Immediately transmit key) cross-product nicely.  Some of
them are probably less useful, but I'd still leave all 12, just to be
comple here.

I would like to add more zero-RTT patterns with semi-ephemeral use,
since those get interesting and would allow protocols similar to QUIC
or MinimaLT.  But that'll be a separate thread.

Trevor

More information about the Noise mailing list