[noise] Re-keying CipherState's

Rhys Weatherley rhys.weatherley at gmail.com
Thu Dec 29 14:39:45 PST 2016

After posting my previous message, I thought a bit more about
re-negotiation of keys during a session.

Using resumption keys and a completely new NoisePSK_NN handshake may be a
bit heavy.  And it is difficult to co-ordinate between the two directions
when they should stop using the previous keys and re-negotiate.

  - If k is empty or n is 2^64-1, then signal and error and fail.
  - Set temp to the first 32 bytes of ENCRYPT(k, n, [], zeroes) where
zeroes is a sequence of 32 zero bytes.
  - InitializeKey(temp)

Essentially, this is generating a resumption key with an earlier nonce
value than the special 2^64-1 value for generating cross-session PSK's.

This makes it easier to implement re-negotiation in a direction-independent
manner.  For example:

  - If the total number of bytes sent so far in this direction is >1Gb,
then call Rekey() and send the next packet with type 2 instead of type 0.
And reset the byte count for this direction to 0.

  - If the incoming packet has type 2, then call Rekey() for the direction
and reset the byte count to zero.
  - If the total number of bytes received so far in this direction is >(1Gb
+ 64K), then abort the connection because an expected re-negotiation did
not occur.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20161230/e69e77e9/attachment.html>

More information about the Noise mailing list