[noise] Std-Noise vs WhatsApp-Noise

Rhys Weatherley rhys.weatherley at gmail.com
Sun Jul 10 01:44:42 PDT 2016

I have users for Noise-Java!  One of them has apparently been trying to use
it to interface with WhatsApp, and found this:


Using "XX", failure occurs on the payload of the first message from the
responder to the initiator (second "XX" message).  The chaining key appears
to be OK - the "garbage" described on the ticket actually contains ASCII:
"WhatsAppLongTerm" and "Chat Static Public Key" to be precise.

The payload decrypted, but the MAC was incorrect.  My suspicion is that
either "h" is incorrect at that point due to some misunderstanding of the
spec on my part.  Or alternatively, WhatsApp is encrypting payloads in a
different way from the specification.

Before I try to chase this down further, I have a question: Is WhatsApp
using the Noise Pipes described in the spec or an earlier version with
different method for protecting payloads on handshake packets?

I know that cacophony (Haskell) and Noise-Java both pass the same "XX" test
vectors listed on the wiki.  Can other implementers check as well just to
make sure that Alex and I aren't off in our own little world?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160710/cf7eba2e/attachment.html>

More information about the Noise mailing list