[noise] Socketguard: seeking feedback on protocol variations

[Ben Burkert]

Hello,

I am working on a Linux module [1] for encrypting TCP traffic. It's
similar to NoiseSocket, but more along the lines of "Wireguard for
individual TCP connections". By building on the ULP feature in Linux,
encryption can be setup in userspace and performed by the kernel without
pulling in additional libraries, or implemented as a language library
[2] for non Linux/ULP environments. The implementation mostly follows
Wireguard's protocol for a Noise_IK handshake, but varies slightly from
Wireguard & the Noise spec. I'm hoping to get some feedback on these
variations from the Noise spec.

First up, the version negotiation data is encrypted in the handshake
messages for both the initiator and responder. Here the encrypted
version data is constructed the same way as the initiator's encrypted
static public key.  However, while the static public key is encrypted to
provide identity hiding, the version is encrypted to prevent downgrade
attacks and to "grease" the protocol.

Secondly, rekeying is modified to include an "es" DH exchange to provide
ongoing forward-secrecy and key-compromise impersonation resistance. And
rekeying is one sided: only a single sending/receiving key is refreshed
when a rekey is performed. Both sides are in charge of rekeying their
respective sending key. The intent is to provide the same
confidentiality properties of a full handshake without the additional
coordination required for a handshake.  So both sides performing a rekey
should be equivalent to a handshake. An encrypted timestamp is included
in the rekey message to prevent replay attacks.

There are other deviations from the Wireguard protocol, but those have
more to do with the differences in the underlying protocols (i.e. TCP vs
UDP) or use cases, and little to do with Noise protocol.

I look forward to hearing any feedback, thanks for the Noise!

-Ben


[1] https://github.com/benburkert/socketguard-linux
[3] https://github.com/benburkert/socketguard-go