[noise] Practical safety of the spec's SetNonce API
jake mcginty
me at jake.su
Thu Aug 2 11:06:44 PDT 2018
The upcoming release of Snow is planning to drop the SetNonce-style API because, in my opinion, it feels too enabling for people practicing Unsafe NoncingĀ®:
session.set_receiving_nonce(nonce)
session.read_message(...)
will instead become:
session.read_message_with_nonce(nonce, ...)
and the user will be required upon finishing the handshake to choose a transport mode with either explicit or implicit nonces to prevent some footgunning: session.into_transport_mode() or session.into_stateless_transport_mode().
I'd obviously like to keep from unnecessarily diverging from spec API, so I thought this would be a good opportunity to float this type of change for the main noise spec as well. Something like:
* Remove SetNonce(nonce) from CipherState
* Add {Encrypt,Decrypt}WithAdAndNonce(nonce, ad, plaintext) (but that's a very long-winded method name)
Thoughts?
More information about the Noise
mailing list