[noise] [NoiseSocket] First handshake message parsing questions

Rhys Weatherley rhys.weatherley at gmail.com
Sun Feb 26 14:19:02 PST 2017

On Mon, Feb 27, 2017 at 6:24 AM, Trevor Perrin <trevp at trevp.net> wrote:

> I was thinking the client would send:
> version with explicit 25519 ephemeral
> version with implicit 25519 ephemeral
> version with implicit 25519 ephemeral
> ...
> version with explicit 448 ephemeral
> version with implicit 448 ephemeral
> version with implicit 448 ephemeral
> ...
> That would save bytes in case you're offering, say, a 25519 public key
> with several different ciphers.
> But Rhys is probably right that for simplicity we should just have all
> initial messages be explicit.

Here's an alternative I thought of after sending my previous message:

0: XX_25519...AESGCM with explicit 25519 ephemeral
1: XX_25519...ChaChaPoly, duplicate 0
8: XX_448...AESGCM with explicit 448 ephemeral
9: XX_448...ChaChaPoly, duplicate 8

For implicit sub-messages, the number of the previous sub-message "e" that
is being duplicated is given.  Then the responder doesn't have to "just
know" which of the previous messages is being implicitly duplicated.  A
single-byte sub-message with the index should be sufficient as there are no
valid Noise handshakes with single-byte messages.

Duplication can only be used when the entire first handshake packet is
identical.  In other words, "I already gave you the data for this packet in
sub-message 8 above".  It should be easier to validate and less knowledge
is needed to guess which of the previous sub-messages contains the "e" of

Duplicating the entire packet makes the scheme easier to extend to HFS:
it's not just the "e" that is elided, but "e, f".

If the sender did something deliberately malicious like duplicate a
previous short 25519 packet for a later 448 pattern, then the normal length
and packet validity checks will catch the problem later and the handshake
will fail.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170227/d20717fe/attachment.html>

More information about the Noise mailing list