[noise] Draft extension: Authentication of handshake data between messages

str4d str4d at i2pmail.org
Sun Jun 3 00:23:32 PDT 2018


On 05/29/2018 07:59 PM, str4d wrote:
> On 05/29/2018 06:28 AM, Trevor Perrin wrote:
>> I wonder whether the "psk?" modifier approach could be directly
>> adapted, i.e. if we had an "h?" modifier where you could specify h0,
>> h1, h2, etc just like psk0, psk1, etc, would that suffice?  Or maybe
>> you'd want more flexible placement?
> 
> I think this might suffice. I'll try implementing this in snow and see
> if it can be made exactly compatible with my existing protocol
> implementation.

It works! Here is the updated draft extension. The only change I needed
to make to my existing protocol implementation (after switching the my
branch of snow with this updated draft implemented) was to add the
modifiers h1 and h2 to the protocol name.

str4d

---

# Noise extension: Authentication of handshake data between messages

## Motivation

The Noise protocol uses AEAD encryption to authenticate various
components within the Noise handshake messages. However, these Noise
messages may be embedded inside other messages, alongside other data
that is desirable to authenticate (such as padding bytes in handshake
messages 1 and 2).

Noise supports a prologue input that can be used to authenticate data
generated _before_ a handshake starts. This extension provides a way to
authenticate data generated _during_ a handshake, but _before_ its
completion.

## Changes to HandshakeState

A new internal boolean flag PENDING_H is stored inside HandshakeState.
It is initialized to False.

[Meta-note: I am open to alternative ways of managing or representing
the state that needs to be maintained between calls to WriteMessage(),
ReadMessage() and AuthenticateData(). This just seemed to be the
simplest way to do so.]

A new step is placed at the beginning of both WriteMessage() and
ReadMessage():

- If PENDING_H is True, an error is signaled to the caller.

The final step of both WriteMessage() and ReadMessage() is altered to read:

- If there are no more message patterns, and PENDING_H is False, returns
  two new CipherState objects by calling Split().

A new function is added to HandshakeState:

- AuthenticateData(data): Takes data external to the Noise handshake
  that should be authenticated. Performs the following steps:

  - If PENDING_H is False, an error is signaled to the caller.

  - Calls MixHash(data).

  - Sets PENDING_H to False.

  - If there are no more message patterns, returns two new CipherState
    objects by calling Split().

## Handshake tokens

In a handshake with external authenticated data, an "h" token is allowed
to appear one or more times in a handshake pattern. This token can only
appear in message patterns (not pre-message patterns), and it must
appear at the end of a message pattern (to remove ambiguity). This token
is processed by setting PENDING_H to True.

## Pattern modifiers

To indicate data authentication mode and the placement of the "h" token,
pattern modifiers are used. The modifiers h1, h2, etc., place an "h"
token at the end of the first, second, etc., handshake messages.

Any pattern using one of these modifiers must process tokens according
to the rules in "Handshake tokens".

Note that h0 is not a valid modifier, as placing an "h" token at the
beginning of the first handshake message would be almost identical to
using a prologue.

## Example implementation

https://github.com/str4d/snow/tree/h-modifier

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180603/56d83a4a/attachment.sig>


More information about the Noise mailing list