[noise] NoiseSocket status and plans
David Wong
davidwong.crypto at gmail.com
Tue Nov 21 15:36:50 PST 2017
Hey!
I've taken a look at the spec and I see now that it is a very general spec:
* it mentions 0-RTT once without explanations on what it is or how it would work
* it does not define what patterns are used or what combinations of
patterns can be used
* it does not define what format is used for negotiation data
so is this another framework on top of the Noise protocol framework?
I had the idea that it was more "plug-and-play" than that.
> Length fields
> --------------
> NoiseSocket uses 2-byte lengths for:
> (a) negotiation_data in handshake messages (for extensibility)
> (b) Noise message lengths (for framing)
> (c) The body length of encrypted payloads (for length-hiding)
Is a Noise message of 65535 bytes including all of this?
> The main alternative is to allow 4-byte lengths for (b) and (c) for
> "jumbo" transport messages, if both parties agree [1]. This might
> improve efficiency for high-speed implementations [2].
What is a jumbo transport message? Not sure I understand the explanation in [1].
> Negotiation
> ------------
> The NoiseSocket spec discusses the responder having 5 options based on
> the initial message:
> - Acceptance
> - Change protocol and send fallback message
> - Change protocol and sent reinitialization request
> - Explicit rejection
> - Silent rejection
>
> I think we can clarify this list, and generalize it a bit:
> - Accept
> - Switch (instead of fallback)
> - Retry (instead of reinitialization request)
> - Explicit reject
> - Silent reject
>
> This generalizes "fallback" to the responder "switching" protocols and
> sending an initial message - perhaps from a fallback protocol, or some
> other "Bob-initiated" protocol [3].
I like that "fallback" directly points to what the Noise Protocol
Framework calls "fallback".
> We could rename "Reinitialization" to "Retry" since this is simpler
> language and more aligned with "Retry Request" from TLS.
Agree.
> negotiation_data noise_message
> Accept *
> Switch * *
> Retry *
> Explicit Reject *
> Silent Reject
>
Such a table would actually be nice to have in the spec.
> Another issue: Should we allow the NoiseSocket-using application to
> provide some "application prologue" that gets mixed in somehow? One
> option is to simply append an "application prologue" to the above
> NoiseSocket prologues. The above prologues are length-terminated, so
> it will be clear where the NoiseSocket prologue ends and the
> application prologue begins.
Yeah I think it's nice to allow the application to include any
prologue it wants to.
> API
> ----
> The current spec emphasizes a message-based API (WriteMessage /
> ReadMessage), instead of a more TCP or TLS-like stream API (Write /
> Read / Flush, something like that).
>
> The rationale is that you could implement a stream API on top of a
> message API but not vice versa, so this seemed the most general.
>
> OTOH, a stream API is going to be most useful over TCP, and
> NoiseSocket's length/framing fields are designed for such a case. So
> maybe we'd be better off emphasizing a stream API, here?
Why not having two different APIs for TCP and UDP?
David
More information about the Noise
mailing list