[noise] Notes and thoughts from RWC2017

Trevor Perrin trevp at trevp.net
Mon Jan 16 20:59:31 PST 2017

On Mon, Jan 16, 2017 at 11:50 AM, Scratch <scratch.net at gmail.com> wrote:
> So, in any way there will be something that is chained to a current
> symmetric key or the value that was produced at the very beginning. I
> was thinking of some kind of true re-handshake but the one that could
> be transparently hidden inside noise state machine and the above layer
> had no idea that re-handshaking is taking place while they are still
> encrypting\decrypting. Do you believe this is possible?

It's certainly possible to run another handshake inside an existing
Noise session, and then switch to the new session.

TLS renegotiation was basically that.  It was never very clear what it
was for, and the TLS mechanism had security problems, so I think
they're removing it in TLS 1.3.

I guess we could say something about how to do this safely, in the
Noise spec (another "Advanced use").  The main point would probaby be
including the handshake hash from parent session in the child
session's prologue.  But maybe we also chain a key into the child, so
we could think about this in the same context as deriving a PSK for

I'm not totally sure what use for this you have in mind.  If you want
this "transparently hidden" maybe you just want
continually-renegotiated forward-secrecy, like Signal's Double
Ratchet?  I'm not sure that's something we need to rebuild out of
Noise any time soon, but maybe someday...


More information about the Noise mailing list