[noise] [NoiseSocket] First handshake message parsing questions
Alexey Ermishkin
scratch.net at gmail.com
Mon Feb 27 11:54:57 PST 2017
Another question that I'd like to discuss once again is sub-messages naming.
Do we really need to switch from Noise_XX_blablabla to NoiseSocket_blablabla? The pattern logic is the same and we have our mandatory prologue if we want to differ (why?) from other implementations
I really want to add IK support to the first version and it will look ugly to use NoiseSocket for XX and Noise_IK for IK
-----Original Message-----
From: Trevor Perrin [mailto:trevp at trevp.net]
Sent: Monday, February 27, 2017 3:58 AM
To: Rhys Weatherley <rhys.weatherley at gmail.com>
Cc: Alexey Ermishkin <scratch.net at gmail.com>; noise <noise at moderncrypto.org>
Subject: Re: [noise] [NoiseSocket] First handshake message parsing questions
On Sun, Feb 26, 2017 at 2:19 PM, Rhys Weatherley <rhys.weatherley at gmail.com> wrote:
> On Mon, Feb 27, 2017 at 6:24 AM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> I was thinking the client would send:
>>
>> version with explicit 25519 ephemeral version with implicit 25519
>> ephemeral version with implicit 25519 ephemeral ...
>>
>> version with explicit 448 ephemeral
>> version with implicit 448 ephemeral
>> version with implicit 448 ephemeral
>> ...
>>
>> That would save bytes in case you're offering, say, a 25519 public
>> key with several different ciphers.
>>
>> But Rhys is probably right that for simplicity we should just have
>> all initial messages be explicit.
>
>
> Here's an alternative I thought of after sending my previous message:
>
> 0: XX_25519...AESGCM with explicit 25519 ephemeral
> 1: XX_25519...ChaChaPoly, duplicate 0
> ...
> 8: XX_448...AESGCM with explicit 448 ephemeral
> 9: XX_448...ChaChaPoly, duplicate 8
>
> For implicit sub-messages, the number of the previous sub-message "e"
> that is being duplicated is given. Then the responder doesn't have to
> "just know" which of the previous messages is being implicitly duplicated.
Is that actually easier to parse than just having zero-length implicit messages use the previous non-zero-length explicit message?
I would think looking up an explicit message by number is more complicated than just always using the previous one?
> Duplicating the entire packet makes the scheme easier to extend to
> HFS: it's not just the "e" that is elided, but "e, f".
That makes sense.
(I'm still fine with leaving out implicit message support, or including it, I think.)
Trevor
More information about the Noise
mailing list