[noise] Explicit nonces (for lossy transports)
Jake McGinty
me at jake.su
Mon Jun 12 05:34:12 PDT 2017
Right now, the Noise spec is unusable for applications that work better
over lossy transports (gaming or video chat) due to the fact that
CipherState only works with an implicit nonce, so dropped and out-of-
order packets won’t fare well.
WireGuard, for example, has essentially implemented an alternate ending to
the Split() as defined in the handshake spec, and instead derives keys for
sending/receiving ciphers which use explicit nonces and a standard
windowing algorithm to efficiently avoid replay attacks (as detailed in
https://www.wireguard.io/papers/wireguard.pdf section 5.4.6).
Because Noise *does* specify the CipherStates to be used in transport mode,
it seems like an extension to support explicit nonces would be necessary
for applications that want to use a standardized Noise protocol.
Would turning something like WireGuard’s explicit nonce spec into an
official Noise extension be a welcomed contribution?
More information about the Noise
mailing list