[noise] Query about the definition of CipherState.encryptWithAd

David Wong davidwong.crypto at gmail.com
Fri May 1 14:29:18 PDT 2020 

IMO this is not an implementation/specification issue, this is a “what handshake pattern are you using, and are you using it correctly” issue.

The EncryptWithAd operation is specified this way so that you can send cleartext payloads as part of a handshake message that has no key. 

Take IK for example:

    IX:
      -> e, s
      <- e, ee, se, s, es

You have derived no key at the end of the first message, but it still might be useful to send a payload at the end.

David

> On May 1, 2020, at 2:08 PM, Justin Cormack <justin at specialbusservice.com> wrote:
> 
> This is a specification, your code does not have to do exactly this so long as it is equivalent.
> Obviously staying close is useful and you should reference the differences in comments, but
> you don't have to be literal.
> 
> Justin
> 
> 
> On Fri, 1 May 2020 at 16:35, Mike Hearn <mike at plan99.net <mailto:mike at plan99.net>> wrote:
> During a code review a colleague flagged an issue that I don't have a great answer for.
> 
> The Noise spec requires that the EncryptWithAd operation might not actually encrypt, if it's called before the key is set. This seems surprising and potentially a source of subtle bugs. I'd have expected an error to be signalled if you attempt an encryption or decryption operation without a key.
> 
> It appears it's defined this way to make WriteMessage simpler when processing an initial key in the first part of a handshake, before any DH operation has run. Everything being written out can be passed through EncryptAndHash without a special case for the position where no key is available. But translated directly to code this results in a rather odd exception inside the core encryption codepath which just looks all wrong. My colleague was right to flag it, even though the overall protocol and algorithm is correct.
> 
> Perhaps a future spec revision could adjust the definition of WriteMessage to fork the codepath depending on if 'k' is set, before CipherState is invoked?
> 
> thanks,
> -mike
> 
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org <mailto:Noise at moderncrypto.org>
> https://moderncrypto.org/mailman/listinfo/noise <https://moderncrypto.org/mailman/listinfo/noise>
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20200501/3cdd88b1/attachment.html>

More information about the Noise mailing list