[noise] Comparing SSH and Noise
trevp at trevp.net
Wed Jun 28 20:00:00 PDT 2017
On Wed, Jun 28, 2017 at 7:47 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Wed, Jun 28, 2017 at 6:38 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> TLS renegotiation in HTTPS was sometimes used like this (initial
>> server-authenticated handshake, then the server triggers a
>> renegotiation for client-auth once it learns which resource the client
>> is requesting). Though I think that's discouraged / deprecated
> Was there some security reason for why authenticating this way was
> discouraged? Other than re-negotiation itself being a problem separately
> from the auth?
Yeah, TLS renegotiation had problems discovered in 2009 and 2014, and
wasn't used much anyways. I didn't follow that part of TLS history
> It was actually the client's handshake ephemeral. Which can be tossed as
> soon as the authentication step has completed.
>> * If you use the server's static then there's a KCI issue, i.e. the
>> client-auth can be forged if the server's key is compromised.
>> You might prefer something like:
>> <- e
>> -> se
>> With the handshake hash from enclosing session in the prologue. But
>> that's an invalid pattern, so we'd need a special rule for that!
> I was hoping for something that could be done with a one-way pattern to
> avoid an extra turn-around. Noise_X on its own would work, with a fresh
> ephemeral. I was exploring ideas to reduce the computational overhead by
> reusing previous ephemerals or not using them at all. Noise_X would be
> safer and easier to justify.
>> There could be a Noise extension here, but it would be more worthwhile
>> if we had a customer and use case in mind.
> My use case is funnily enough - SSH. Or something like it. Doing any kind
> of secure command-and-control on embedded devices is hard because of the
> heavy overhead of both TLS and SSH. There are two shell modes of interest:
> devices "phoning home" to a server (device as client), and remote users
> connecting to the device to perform administration (device as server).
> Also, the SSH protocol is very crufty and showing its age - a refresh of the
> transport using Noise might help with that. But that's a longer term
More information about the Noise