[noise] Noise Explorer

Nadim Kobeissi nadim at symbolic.software
Thu May 24 23:16:49 PDT 2018


Hello everyone,

I'm pleased to announce that Noise Explorer now includes formal
verification results with two "tokenless" messages for 28 of its 35
compendium entries.
Due to some constraints in ProVerif that we are currently investigating and
that we hope to soon remedy, some patterns had to be temporarily restricted
to only one "tokenless" message, while one pattern could not have any
"tokenless" messages at all.

     - Patterns that still have only one "tokenless" message: NK, K1N, XN,
I1N, NK1, NX (6 in total.)
     - Patterns that do not have any "tokenless" messages: NX1 (1 in total.)
     - Patterns that now have two "tokenless" messages: everything else (28
in total.)

To explore these new results, go to the Noise Explorer website and click on
"Explore Patterns" in the navigation menu: https://noiseexplorer.com

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office

On Thu, May 24, 2018 at 7:30 PM Nadim Kobeissi <nadim at symbolic.software>
wrote:

> Dear Trevor,

> Here is the exact text of the grades in question in today's Noise
> specification:

> Authenticity grade 1: "Sender authentication vulnerable to key-compromise
> impersonation (KCI). The sender authentication is based on a static-static
> DH ("ss") involving both parties' static key pairs. If the recipient's
> long-term private key has been compromised, this authentication can be
> forged. Note that a future version of Noise might include signatures,
which
> could improve this security property, but brings other trade-offs."

> Authenticity grade 2: "Sender authentication resistant to key-compromise
> impersonation (KCI). The sender authentication is based on an
> ephemeral-static DH ("es" or "se") between the sender's static key pair
and
> the recipient's ephemeral key pair. Assuming the corresponding private
keys
> are secure, this authentication cannot be forged."

> The issue lies in that the above two paragraphs do not specify whether
> there is an opening for a malicious principal to mess with things. Observe
> message C in the following two results:

> https://noiseexplorer.com/patterns/KN.noise.html
> https://noiseexplorer.com/patterns/IK.noise.html

> In IK, message C is resistant to key compromise impersonation even if its
> sender (the initiator) negotiates a separate session in parallel with a
> compromised principal Charlie, who is controlled by the attacker
> unbeknownst to the sender.

> In KN, message C is also resistant to key compromise impersonation, but
> unlike message C in IK, this property does not hold if Charlie also enters
> the fray in a similar manner.

> In the current Noise specification, both KN and IK are given the similar
> grade for authenticity. That is the problem and the reason for the
expanded
> authenticity grading system. In Noise Explorer's system, grades 3 and 4
> essentially are short hand for "1 and 2 but with maintained key compromise
> impersonation resistance even when negotiating with a compromised
> principal."

> Now, I understand your suggestion with regards to pairing these grades
with
> corresponding confidentiality queries, but this raises two questions in my
> mind:

> 1. The confidentiality queries in question are written and formalized to
> deal with message secrecy and forward secrecy two properties that do not
at
> all touch upon authenticity. Shouldn't we strive to therefore working on
> separating these properties formally?

> 2. There is also the question of reduced precision. Instead of having
> authenticity grades "1, 3-5" and grade "2, 3-5", why not settle for a
> system where we obtain precise grades for authenticity, independently from
> having to look at a confidentiality/message secrecy/forward secrecy
result?

> Nadim Kobeissi
> Symbolic Software • https://symbolic.software
> Sent from office
> On Thu, May 24, 2018 at 6:10 PM Trevor Perrin <trevp at trevp.net> wrote:

> > On Thu, May 24, 2018 at 12:05 PM, Nadim Kobeissi
> > <nadim at symbolic.software> wrote:
> > > Hello everyone,
> > > I've been following up on all of these discussions very closely, but
> have
> > > not said anything because I've been working furiously on getting all
the
> > > formal results for all 22 deferred patterns *with* two "tokenless"
> messages
> > > out. I'm afraid that with the addition of two "tokenless" messages to
> every
> > > single model, the cost of verification increases dramatically. Things
> are
> > > still going to take quite a long time -- I wish we weren't nearing
> June, at
> > > least I'd have a use for the free radiators I now have in my apartment
> due
> > > to this -- quite a lot of finely tuned dedicated hardware is now
dealing
> > > with the formal verification load.
> > >
> > > An important clarification: Trevor says the following:
> > >> Thinking more on rev34, it would probably be irresponsible to publish
> > >> *without* security tables for all the deferred patterns...  So I'd
> > >> love to work out how to get your output processed into some tables
> > >> like the current ones (or possibly changed around a bit, depending on
> > >> that discussion).  Or really: for you to work that out, so I could
> > >> just copy-and-paste :-)....
> > >
> > > Trevor, the security tables for 20 of the deferred patterns are
already
> > > available on Noise Explorer's website. They simply do not include the
> > > "tokenless" messages. Just a note in the event that you missed that.
:-)
> > >
> > > Regarding the discussions on security properties, I'm personally
> currently
> > > satisfied with the recognition that any deferred pattern that opens
up a
> > > potential UKS attack will simply never qualify towards authenticity
> grades
> > > 3 and 4 (as defined by Noise Explorer) and will always be restricted
to
> a
> > > maximum of 1 or 2 (as defined by Noise Explorer, see my previous email
> > > where I list a "very quick summary" of the additions to the
authenticity
> > > properties.)

> > Hmm, the way I think about it, no patterns should ever open up a
> > potential UKS attack?  Also, the deferred patterns should end up with
> > the same properties as their corresponding fundamental pattern, since
> > they perform the same operations.

> > Looking more closely at your numeric grades, I think your two new
> > authentication grade numbers just correspond to the Noise
> > authentication grades 0-2, except you use 2 new numbers based on the
> > confidentiality grade it's being paired with:

> > ("NE" for Noise Explorer):

> > NE 0 -> spec(0, 0-2)
> > NE 1 -> spec(1, 0-2)
> > NE 2 -> spec(2, 0-2)
> > NE 3 -> spec(1, 3-5)
> > NE 4 -> spec(2, 3-5)

> > In other words, I don't think these new NE grades encode new
> > information.  So I'm not yet convinced they improve things versus the
> > Noise spec's system, seems like we could map your 3->1, and your 4->2,
> > and bring things into alignment?

> > Trevor


More information about the Noise mailing list