[noise] Encrypting 0-RTT payloads
Matthew Hodgson
matthew at matrix.org
Fri Dec 7 03:06:47 PST 2018
On 07/12/2018 03:14, Trevor Perrin wrote:
> I might be misunderstanding the question. But every Noise handshake
> message contains a payload at the end. If "k" exists, then this
> payload is encrypted with SymmetricKey.EncryptAndHash(payload), using
> the underlying CipherState.
Hi Trevor,
Thanks for the quick answer; you understood the question correctly and
I'm now on the right page. I was managing to tie myself in knots thanks to:
* Having been naively confused at first by the initial NN & XX
handshake payloads being unencrypted, and then assuming all handshake
payloads had to be manually encrypted.
* Not having read the spec thoroughly enough to realise that noise
automatically encrypts handshake payloads if `k` is available
* Looking at IK payload *after* being returned by ReadMessage rather
than before, and failing to realise that it had been working all along :/
Sorry for the noise...
In other news; we're experimenting with noise for transport layer
encryption for CoAP (low-bandwidth REST-style protocol over UDP).
However, we're butting up against the problems mentioned in "11.4.
Out-of-order transport messages" in the spec - specifically the risk of
missing and out-of-order handshake messages. Is there any standard way
emerging of how to handle this at the application layer (i guess from
the NoiseTransport or NLS work)?
thanks,
Matthew
--
Matthew Hodgson
Matrix.org
More information about the Noise
mailing list