[noise] NoiseSocket and payload padding in handshake messages

Alexey Ermishkin scratch.net at gmail.com
Wed Apr 18 07:35:31 PDT 2018


Should we just add a note on 2 bytes field in encrypted handshake payload or also accompany it with counting formulas?

-----Original Message-----
From: Trevor Perrin <trevp at trevp.net>
Sent: Wednesday, April 18, 2018 12:50 PM
To: Alexey Ermishkin <scratch.net at gmail.com>
Cc: Nemanja Mijailovic <metalnem at mijailovic.net>; noise 
<noise at moderncrypto.org>
Subject: Re: [noise] NoiseSocket and payload padding in handshake messages

On Tue, Apr 17, 2018 at 4:31 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> Let's take a moment to think about this and make sure we know what
> decision we're making, and why we're making it.


I think I'm still in favor of having NoiseSocket padding (i.e. the 2-byte 
"body_len" field) present in encrypted handshake payloads, as well as 
transport payloads.

Padding is useful here for the usual reason:  you might be encrypting 
variable-length handshake payloads and want to hide the length.

If we omitted NoiseSocket padding in handshake payloads then padding could 
still be added at a higher level.  For example, we could add a padding field 
into the NLS protobuf.  However it's easier to add padding _after_ you've 
encoded the protobuf into bytes, rather than guessing the length beforehand 
and dealing with things like varints.

Also, since we decided padding made sense as a NoiseSocket responsibility, 
it seems reasonable to apply padding consistently to all the places where 
NoiseSocket encrypts variable-length payloads.


Trevor



More information about the Noise mailing list