[noise] NoiseSocket and payload padding in handshake messages
Trevor Perrin
trevp at trevp.net
Wed Apr 18 01:39:24 PDT 2018
On Wed, Apr 18, 2018 at 8:17 AM, Nemanja Mijailovic
<metalnem at mijailovic.net> wrote:
> The NoiseSocket spec currently mandates padded size for the entire message, not just the payload (WriteHandshakeMessage in section 5):
>
> “If this message has an encryped payload and noise_message_len would be less than padded_len, padding is added to make noise_message_len equal padded_len”
Hm, good point!
This is in the API section, so it's more of a recommendation - how the
padding length is calculated by the sender doesn't affect interop, and
there might be reasons to use different algorithms, and different
APIs. (All of this needs to be clearer in the spec...)
> If we wanted to pad only the payload, we could replace noise_message_len with message_body_len, and the padding would be trivial.
Yeah, that's probably the better recommendation.
Full-message padding would be relevant to "Handshake
indistinguishability" from the core spec but that's much more
complicated, since you'd also have to deal with negotiation data in
the clear, ephemeral public keys, trial decryption, etc.
Trevor
More information about the Noise
mailing list