[noise] Replacing TLS with noise

Trevor Perrin trevp at trevp.net
Thu Dec 29 15:15:56 PST 2016

On Thu, Dec 29, 2016 at 1:38 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Fri, Dec 30, 2016 at 1:37 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> The spec mentions a "length field" and a "type field" which you could
>> use for some minimal framing.  Basically, before each handshake
>> message, you could include:
>>  - 1-byte type (zero by default)
>>  - 2-byte length
>> [...]
> I think it may be worth defining an extension for a full "transparent
> socket-like layer using Noise" as this "how do I do TLS?" question will keep
> coming up.

Sounds like a worthy exercise, but will probably need some use cases
to keep it focused.

> There are lots of issues to define a practical and interoperable protocol:
> - Packet framing
> - Choice of handshake patterns.  XX and Noise Pipes are obvious.  However
> the way TLS is often used is more akin to NX than XX - no client auth.  Are
> null public keys enough to turn XX into NX or do we need more packet types?
> NN may also be needed for fully anonymous connections with opportunistic
> encryption.

XX plus null public keys can emulate NN, NX, or XN.  So for a single
handshake that is simple and flexible, XX is a pretty good choice.

Noise Pipes add a 0-RTT option (IK) but more complexity.  With null
public keys IK can emulate NK, so Noise Pipes would work fine for
non-client-auth cases.

> - Negotiating the handshake pattern / features?  And then incorporating this
> negotiation into the prologue.
> - Triggering re-negotiation of session keys after a significantly large
> amount of data has been sent (e.g. 1Gb), or after a certain amount of time
> (e.g. 1hr) has elapsed (*).  This is tricky to do right with asynchronous
> communications in both directions.

The less negotiation the better (IMO), but I'll take up re-keying in
your other thread.

> - A standard place in the protocol to place client and server certificate
> information if the service needs it.

They should fit into handshake payloads pretty easily.


More information about the Noise mailing list