[noise] Comparing SSH and Noise

Trevor Perrin trevp at trevp.net
Wed Jun 28 20:00:00 PDT 2017

On Wed, Jun 28, 2017 at 7:47 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Wed, Jun 28, 2017 at 6:38 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> TLS renegotiation in HTTPS was sometimes used like this (initial
>> server-authenticated handshake, then the server triggers a
>> renegotiation for client-auth once it learns which resource the client
>> is requesting).  Though I think that's discouraged / deprecated
>> nowadays.
> Was there some security reason for why authenticating this way was
> discouraged?  Other than re-negotiation itself being a problem separately
> from the auth?

Yeah, TLS renegotiation had problems discovered in 2009 and 2014, and
wasn't used much anyways.  I didn't follow that part of TLS history
closely, though.

> It was actually the client's handshake ephemeral.  Which can be tossed as
> soon as the authentication step has completed.

>>  * If you use the server's static then there's a KCI issue, i.e. the
>> client-auth can be forged if the server's key is compromised.
>> You might prefer something like:
>> <- e
>> -> se
>> With the handshake hash from enclosing session in the prologue.  But
>> that's an invalid pattern, so we'd need a special rule for that!
> I was hoping for something that could be done with a one-way pattern to
> avoid an extra turn-around.  Noise_X on its own would work, with a fresh
> ephemeral.  I was exploring ideas to reduce the computational overhead by
> reusing previous ephemerals or not using them at all.  Noise_X would be
> safer and easier to justify.
>> There could be a Noise extension here, but it would be more worthwhile
>> if we had a customer and use case in mind.
> My use case is funnily enough - SSH.  Or something like it.  Doing any kind
> of secure command-and-control on embedded devices is hard because of the
> heavy overhead of both TLS and SSH.  There are two shell modes of interest:
> devices "phoning home" to a server (device as client), and remote users
> connecting to the device to perform administration (device as server).
> Also, the SSH protocol is very crufty and showing its age - a refresh of the
> transport using Noise might help with that.  But that's a longer term
> experiment.
> Cheers,
> Rhys.

More information about the Noise mailing list