[noise] Variable-length handshake payloads?
David Fifield
david at bamsoftware.com
Wed Dec 12 13:37:34 PST 2018
On Wed, Dec 12, 2018 at 02:28:40PM -0700, David Fifield wrote:
> > Below is a possible workaround that is a deviation from the spec. Here is what
> > it looks on the write side:
> >
> > ---begin pseudocode---
> > Let:
> > payload be a variable-length byte sequence
> > zerolen be a zero-length byte sequence
> >
> > // encrypt a blank, sort of like in REKEY()
> > lengthObfuscator = EncryptAndHash(zerolen)
>
> This seems to be a bug. I think you want to be encrypting a fixed-length
> string of zeros, not a zero-length string. EncryptAndHash("") is defined
> to return "".
> https://noiseprotocol.org/noise.html#the-cipherstate-object
> EncryptWithAd(ad, plaintext): If k is non-empty returns
> ENCRYPT(k, n++, ad, plaintext). Otherwise returns plaintext.
> https://noiseprotocol.org/noise.html#the-symmetricstate-object
> EncryptAndHash(plaintext): Sets ciphertext = EncryptWithAd(h,
> plaintext), calls MixHash(ciphertext), and returns ciphertext.
> Note that if k is empty, the EncryptWithAd() call will set
> ciphertext equal to plaintext.
Sorry, this is my mistake. EncryptAndHash("") will return a 16-byte
authentication tag, not an empty string. Nevertheless, the REKEY
operation is encrypting a 32-byte string of zeros, not an empty string
(the empty string is the ad parameter).
https://noiseprotocol.org/noise.html#cipher-functions
More information about the Noise
mailing list