[noise] Encrypting 0-RTT payloads

Justin Cormack justin at specialbusservice.com
Fri Dec 7 09:37:53 PST 2018


Looking at CoAP, not sure the nQUIC model will help, as that
essentially implements TCP on top of UDP itself.

For the handshake messages you need to use confirmable messages, and
so treat the handshake as a
pair of confirmable request+response messages, even if the Noise
handshake might only be three messages.

For the ongoing messages, the Wireguard scheme (which is similar to ipsec):

Nonces are never reused. A 64bit counter is used, and cannot be wound
backward. UDP, however, sometimes delivers messages out of order. For
that reason we use a sliding window, in which we keep track of the
greatest counter received and a window of roughly 2000 prior values.
This avoids replay attacks while ensuring nonces are never reused and
that UDP can maintain out-of-order delivery performance.

You could reduce the siding window for CoAP. That assumes you transmit
the nonce, as the dTLS implementation for CoAP does. If you are very
resource constrained though you might have to optimise.

Justin

On Fri, 7 Dec 2018 at 16:58, Trevor Perrin <trevp at trevp.net> wrote:
>
> On Fri, Dec 7, 2018 at 11:06 AM Matthew Hodgson <matthew at matrix.org> wrote:
> >
> > In other news; we're experimenting with noise for transport layer
> > encryption for CoAP (low-bandwidth REST-style protocol over UDP).
> > However, we're butting up against the problems mentioned in "11.4.
> > Out-of-order transport messages" in the spec - specifically the risk of
> > missing and out-of-order handshake messages.  Is there any standard way
> > emerging of how to handle this at the application layer (i guess from
> > the NoiseTransport or NLS work)?
>
> You could look at WireGuard, or maybe also the recent nQUIC.  I know
> other people have similar questions, maybe we should discuss this more
> as a shared effort.  But the opinion has also been expressed (I think
> from Jason) that different approaches will make sense in different
> circumstances.
>
> So I don't have a great off-the-cuff / off-the-shelf answer for you.
>
> Trevor
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise


More information about the Noise mailing list