[noise] [NoiseSocket] First handshake message parsing questions
Rhys Weatherley
rhys.weatherley at gmail.com
Sun Feb 26 14:19:02 PST 2017
On Mon, Feb 27, 2017 at 6:24 AM, Trevor Perrin <trevp at trevp.net> wrote:
> I was thinking the client would send:
>
> version with explicit 25519 ephemeral
> version with implicit 25519 ephemeral
> version with implicit 25519 ephemeral
> ...
>
> version with explicit 448 ephemeral
> version with implicit 448 ephemeral
> version with implicit 448 ephemeral
> ...
>
> That would save bytes in case you're offering, say, a 25519 public key
> with several different ciphers.
>
> But Rhys is probably right that for simplicity we should just have all
> initial messages be explicit.
>
Here's an alternative I thought of after sending my previous message:
0: XX_25519...AESGCM with explicit 25519 ephemeral
1: XX_25519...ChaChaPoly, duplicate 0
...
8: XX_448...AESGCM with explicit 448 ephemeral
9: XX_448...ChaChaPoly, duplicate 8
For implicit sub-messages, the number of the previous sub-message "e" that
is being duplicated is given. Then the responder doesn't have to "just
know" which of the previous messages is being implicitly duplicated. A
single-byte sub-message with the index should be sufficient as there are no
valid Noise handshakes with single-byte messages.
Duplication can only be used when the entire first handshake packet is
identical. In other words, "I already gave you the data for this packet in
sub-message 8 above". It should be easier to validate and less knowledge
is needed to guess which of the previous sub-messages contains the "e" of
interest.
Duplicating the entire packet makes the scheme easier to extend to HFS:
it's not just the "e" that is elided, but "e, f".
If the sender did something deliberately malicious like duplicate a
previous short 25519 packet for a later 448 pattern, then the normal length
and packet validity checks will catch the problem later and the handshake
will fail.
Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170227/d20717fe/attachment.html>
More information about the Noise
mailing list