[noise] Comparing SSH and Noise

Trevor Perrin trevp at trevp.net
Wed Jun 28 20:03:38 PDT 2017

(Previous email sent prematurely, read this one instead!)

On Wed, Jun 28, 2017 at 7:47 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Wed, Jun 28, 2017 at 6:38 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> TLS renegotiation in HTTPS was sometimes used like this (initial
>> server-authenticated handshake, then the server triggers a
>> renegotiation for client-auth once it learns which resource the client
>> is requesting).  Though I think that's discouraged / deprecated
>> nowadays.
> Was there some security reason for why authenticating this way was
> discouraged?  Other than re-negotiation itself being a problem separately
> from the auth?

I think TLS renegotiation had problems discovered in 2009 and 2014,
and wasn't used much anyways.  I didn't follow that part of TLS
history closely, though.

> It was actually the client's handshake ephemeral.  Which can be tossed as
> soon as the authentication step has completed.

If using DH, the client needs to authenticate itself using *some* key
from the server, and neither the server's static nor handshake
ephemeral is ideal (for KCI reasons in former case, and
forward-secrecy in latter).

> I was hoping for something that could be done with a one-way pattern to
> avoid an extra turn-around.

I imagine post-handshake client-auth being triggered by a server
request, so having the server send a fresh ephemeral isn't a big deal.
If you're trying to optimize round-trips, I'd wonder if client-auth
could just be done in the handshake (coming back to XX).

>> There could be a Noise extension here, but it would be more worthwhile
>> if we had a customer and use case in mind.
> My use case is funnily enough - SSH.  Or something like it.  Doing any kind
> of secure command-and-control on embedded devices is hard because of the
> heavy overhead of both TLS and SSH.  There are two shell modes of interest:
> devices "phoning home" to a server (device as client), and remote users
> connecting to the device to perform administration (device as server).

That's cool.  I've wish SSH had a good PAKE (password authenticated
key exchange), maybe if we work that out for Noise it would useful
here (or maybe not, maybe there are better options than passwords).


More information about the Noise mailing list