[noise] Draft extension: Authentication of handshake data between messages

str4d str4d at i2pmail.org
Sun May 27 22:18:31 PDT 2018 

Hi all,

This is the second of three draft extensions I've been working on, as
part of designing the new Noise-based TCP transport for I2P [0]. Note
that I'm using the term "extension" loosely - I don't know exactly how
these would best fit into the ecosystem.

I look forward to your feedback!

Cheers,
str4d

[0] https://geti2p.net/spec/proposals/111-ntcp-2

---

# Noise extension: Authentication of handshake data between messages

## Motivation

The Noise protocol uses AEAD encryption to authenticate various
components within the Noise handshake messages. However, these Noise
messages may be embedded inside other messages, alongside other data
that is desirable to authenticate (such as padding bytes in handshake
messages 1 and 2).

Noise supports a prologue input that can be used to authenticate data
generated _before_ a handshake starts. This extension provides a way to
authenticate data generated _during_ a handshake, but _before_ its
completion.

## Changes to the Noise specification

A new function is added to HandshakeState:

- AuthenticateData(data): Calls MixHash(data), unless there are no more
  message patterns, in which case an error is signaled to the caller.

Both initiator and responder must call AuthenticateData() at the same
points during handshake message-handling (e.g. after the initiator's
first call to WriteMessage() and after the responder's first call to
ReadMessage()).

[Meta-note: I wasn't sure whether to indicate this behaviour with a
modifier, or rely on the higher-layer protocol to define its usage.
Modifiers are canonically used for modifying the behaviour of
WriteMessage() and ReadMessage(), whereas this extension modifies
handshake validity outside them.]

## Example implementation

https://github.com/str4d/snow/tree/authenticate_data

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180528/d06240db/attachment.sig>

More information about the Noise mailing list