[noise] small questions on the spec

David Wong davidwong.crypto at gmail.com
Sat Jun 17 03:02:45 PDT 2017


I have a few questions for the list:


> All Noise messages are less than or equal to 65535 bytes in length.

How do you propose we check for that? My idea is that we have to check
that in multiple places:

* in the WriteMessage() function for the final payload being sent
* in the ReadMessage() function for reading the other peer's message
* in the encryptWithAd()/decryptWithAd() for calls after the handshake is done


> For "s": Sets temp to the next DHLEN + 16 bytes of the message if HasKey() == True, or to the next DHLEN bytes otherwise. Sets rs to DecryptAndHash(temp).

Shouldn't there be some indication as well for key verification
(pinning, pki) ? As I understand, Noise_XX has each peer send its
static key during the handshake so there must be some verification


 How does `EncryptAndHash()` handles an error returned by
`EncryptWithAd()` ? Trevp mentionned Section 5:

> The application may choose to delete the CipherState and terminate the session on such an error, or may continue to attempt communications. If EncryptWithAd() or DecryptWithAd() signal an error due to nonce exhaustion, then the application must delete the CipherState and terminate the session.

But I think it lacks indications in the functions descriptions.
EncryptWithAd does say that it can return an error to the caller, so I
think EncryptAndHash should mention returning an error as well. This
should probably go all the way up and be something that WriteMessage
or ReadMessage can return to the application (which would make sense
with the quote above)


There is no real distinctions between public functions and internal
functions. Public functions seem to be:

Initialize(), ReadMessage(), WriteMessage(), EncryptWithAD(), DecryptWithAd()

The rest seems like it should be private. My suggestion: add a "_" in
front of function names that are supposed to be private (this is what
the Strobe specification does) and an explanation of what is this "_".


suggestion: Initialize should return a HandshakeState, not be based on
a HandshakeState.


More information about the Noise mailing list