aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortrevnoise <noise@trevp.net>2018-05-28 23:44:41 +0000
committertrevnoise <noise@trevp.net>2018-05-28 23:44:41 +0000
commite9468bc4879b8006da5de9599e22b15731caf5e0 (patch)
treec54ce339e1bb9041d12f170497cec2c6df0024b4
parentClean up text around negotiation data / rollback (diff)
downloadnoise-e9468bc4879b8006da5de9599e22b15731caf5e0.tar.xz
noise-e9468bc4879b8006da5de9599e22b15731caf5e0.zip
Add security properties tables
Diffstat
-rw-r--r--noise.md215
-rw-r--r--output/noise.html262
-rw-r--r--output/noise.pdfbin379412 -> 382704 bytes
3 files changed, 455 insertions, 22 deletions
diff --git a/noise.md b/noise.md
index 9e14a7c..e807352 100644
--- a/noise.md
+++ b/noise.md
@@ -883,7 +883,7 @@ Deferred patterns might be useful for several reasons:
* Future extensions to Noise might be capable of replacing DH operations with signatures or KEM ciphertexts, but would only be able to do so if the sender is authenticating themselves (signatures) or the sender is authenticating the recipient (KEM ciphertexts). Thus every fundamental handshake pattern is only capable of having each authentication DH replaced with a signature *or* KEM ciphertext, but the deferred variants make both replacements possible.
-Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 22 deferred handshake patterns are in the [Appendix](#deferred-patterns).
+Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 23 deferred handshake patterns are in the [Appendix](#deferred-patterns).
+---------------------------+--------------------------------+
| NK: | NK1: |
@@ -1043,10 +1043,10 @@ received.
| <- 2 5 |
+--------------------------------------------------------------+
| XX |
-| -> e 0 0 |
-| <- e, ee, s, es 2 1 |
-| -> s, se 2 5 |
-| <- 2 5 |
+| -> e 0 0 |
+| <- e, ee, s, es 2 1 |
+| -> s, se 2 5 |
+| <- 2 5 |
+--------------------------------------------------------------+
| KN |
| -> s |
@@ -2103,9 +2103,9 @@ versions.
# 18. Appendices
-# 18.1 Deferred patterns
+## 18.1 Deferred patterns
-The following table lists all 22 deferred handshake patterns in the right
+The following table lists all 23 deferred handshake patterns in the right
column, with their corresponding fundamental handshake pattern in the left
column. See [Section 7](#handshake-patterns) for an explanation of
fundamental and deferred patterns.
@@ -2124,6 +2124,13 @@ fundamental and deferred patterns.
| | -> es |
| | |
+---------------------------+--------------------------------+
+| XN: | X1N: |
+| -> e | -> e |
+| <- e, ee | <- e, ee |
+| -> s, se | -> s |
+| | <- se |
+| | |
++---------------------------+--------------------------------+
| XK: | X1K: |
| <- s | <- s |
| ... | ... |
@@ -2265,5 +2272,199 @@ fundamental and deferred patterns.
| | |
+---------------------------+--------------------------------+
+\newpage
+
+## 18.2. Security properties for deferred patterns
+
+The following table lists the the security properties for the Noise handshake
+and transport payloads for all the deferred patterns in the previous section.
+The security properties are labelled using the notation from [Section 7.6](#payload-security-properties).
+
++--------------------------------------------------------------+
+| Source Destination |
++--------------------------------------------------------------+
+| NK1 |
+| <- s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, es 2 1 |
+| -> 0 5 |
++--------------------------------------------------------------+
+| NX1 |
+| -> e 0 0 |
+| <- e, ee, s 0 1 |
+| -> es 0 3 |
+| -> 2 1 |
+| <- 0 5 |
++--------------------------------------------------------------+
+| X1N |
+| -> e 0 0 |
+| <- e, ee 0 1 |
+| -> s 0 1 |
+| <- se 0 3 |
+| -> 2 1 |
++--------------------------------------------------------------+
+| X1K |
+| <- s |
+| ... |
+| -> e, es 0 2 |
+| <- e, ee 2 1 |
+| -> s 0 5 |
+| <- se 2 3 |
+| -> 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| XK1 |
+| <- s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, es 2 1 |
+| -> s, se 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| X1K1 |
+| <- s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, es 2 1 |
+| -> s 0 5 |
+| <- se 2 3 |
+| -> 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| X1X |
+| -> e 0 0 |
+| <- e, ee, s, es 2 1 |
+| -> s 0 5 |
+| <- se 2 3 |
+| -> 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| XX1 |
+| -> e 0 0 |
+| <- e, ee, s 0 1 |
+| -> es, s, se 2 3 |
+| <- 2 5 |
+| -> 2 5 |
++--------------------------------------------------------------+
+| X1X1 |
+| -> e 0 0 |
+| <- e, ee, s 0 1 |
+| -> es, s 0 3 |
+| <- se 2 3 |
+| -> 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| K1N |
+| -> s |
+| ... |
+| -> e 0 0 |
+| <- e, ee 0 1 |
+| -> se 2 1 |
+| <- 0 5 |
++--------------------------------------------------------------+
+| K1K |
+| -> s |
+| <- s |
+| ... |
+| -> e, es 0 2 |
+| <- e, ee, se 2 1 |
+| -> se 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| KK1 |
+| -> s |
+| <- s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, se, es 2 3 |
+| -> 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| K1K1 |
+| -> s |
+| <- s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, es 2 1 |
+| -> se 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| K1X |
+| -> s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, s, es 2 1 |
+| -> se 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| KX1 |
+| -> s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, se, s 0 3 |
+| -> es 2 3 |
+| <- 2 5 |
+| -> 2 5 |
++--------------------------------------------------------------+
+| K1X1 |
+| -> s |
+| ... |
+| -> e 0 0 |
+| <- e, ee, s 0 1 |
+| -> se, es 2 3 |
+| <- 2 5 |
+| -> 2 5 |
++--------------------------------------------------------------+
+| I1N |
+| -> e, s 0 0 |
+| <- e, ee 0 1 |
+| -> se 2 1 |
+| <- 0 5 |
++--------------------------------------------------------------+
+| I1K |
+| <- s |
+| ... |
+| -> e, es, s 0 2 |
+| <- e, ee 2 1 |
+| -> se 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| IK1 |
+| <- s |
+| ... |
+| -> e, s 0 0 |
+| <- e, ee, se, es 2 3 |
+| -> 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| I1K1 |
+| <- s |
+| ... |
+| -> e, s 0 0 |
+| <- e, ee, es 2 1 |
+| -> se 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| I1X |
+| -> e, s 0 0 |
+| <- e, ee, s, es 2 1 |
+| -> se 2 5 |
+| <- 2 5 |
++--------------------------------------------------------------+
+| IX1 |
+| -> e, s 0 0 |
+| <- e, ee, se, s 0 3 |
+| -> es 2 3 |
+| <- 2 5 |
+| -> 2 5 |
++--------------------------------------------------------------+
+| I1X1 |
+| -> e, s 0 0 |
+| <- e, ee, s 0 1 |
+| -> se, es 2 3 |
+| <- 2 5 |
+| -> 2 5 |
++--------------------------------------------------------------+
# 19. References
diff --git a/output/noise.html b/output/noise.html
index 6f7f85c..1ce146d 100644
--- a/output/noise.html
+++ b/output/noise.html
@@ -92,8 +92,10 @@
</ul></li>
<li><a href="#ipr">16. IPR</a></li>
<li><a href="#acknowledgements">17. Acknowledgements</a></li>
-<li><a href="#appendices">18. Appendices</a></li>
+<li><a href="#appendices">18. Appendices</a><ul>
<li><a href="#deferred-patterns">18.1 Deferred patterns</a></li>
+<li><a href="#security-properties-for-deferred-patterns">18.2. Security properties for deferred patterns</a></li>
+</ul></li>
<li><a href="#references">19. References</a></li>
</ul>
</div>
@@ -557,7 +559,7 @@ KK:
<li><p>In some cases, deferring authentication can improve the identity-hiding properties of the handshake (see <a href="#identity-hiding">Section 7.7</a>).</p></li>
<li><p>Future extensions to Noise might be capable of replacing DH operations with signatures or KEM ciphertexts, but would only be able to do so if the sender is authenticating themselves (signatures) or the sender is authenticating the recipient (KEM ciphertexts). Thus every fundamental handshake pattern is only capable of having each authentication DH replaced with a signature <em>or</em> KEM ciphertext, but the deferred variants make both replacements possible.</p></li>
</ul>
-<p>Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 22 deferred handshake patterns are in the <a href="#deferred-patterns">Appendix</a>.</p>
+<p>Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 23 deferred handshake patterns are in the <a href="#deferred-patterns">Appendix</a>.</p>
<table style="width:85%;">
<colgroup>
<col width="38%" />
@@ -674,10 +676,10 @@ KK:
</tr>
<tr class="even">
<td><pre><code>XX
- -&gt; e 0 0
- &lt;- e, ee, s, es 2 1
- -&gt; s, se 2 5
- &lt;- 2 5</code></pre></td>
+ -&gt; e 0 0
+ &lt;- e, ee, s, es 2 1
+ -&gt; s, se 2 5
+ &lt;- 2 5</code></pre></td>
</tr>
<tr class="odd">
<td><pre><code>KN
@@ -1395,8 +1397,8 @@ XXfallback:
<p>Jeremy Clark, Thomas Ristenpart, and Joe Bonneau gave feedback on earlier versions.</p>
<h1 id="appendices">18. Appendices</h1>
-<h1 id="deferred-patterns">18.1 Deferred patterns</h1>
-<p>The following table lists all 22 deferred handshake patterns in the right column, with their corresponding fundamental handshake pattern in the left column. See <a href="#handshake-patterns">Section 7</a> for an explanation of fundamental and deferred patterns.</p>
+<h2 id="deferred-patterns">18.1 Deferred patterns</h2>
+<p>The following table lists all 23 deferred handshake patterns in the right column, with their corresponding fundamental handshake pattern in the left column. See <a href="#handshake-patterns">Section 7</a> for an explanation of fundamental and deferred patterns.</p>
<table style="width:85%;">
<colgroup>
<col width="38%" />
@@ -1425,6 +1427,17 @@ XXfallback:
-&gt; es</code></pre></td>
</tr>
<tr class="odd">
+<td><pre><code>XN:
+ -&gt; e
+ &lt;- e, ee
+ -&gt; s, se</code></pre></td>
+<td><pre><code> X1N:
+ -&gt; e
+ &lt;- e, ee
+ -&gt; s
+ &lt;- se</code></pre></td>
+</tr>
+<tr class="even">
<td><pre><code>XK:
&lt;- s
...
@@ -1454,7 +1467,7 @@ XXfallback:
-&gt; s
&lt;- se</code></pre></td>
</tr>
-<tr class="even">
+<tr class="odd">
<td><pre><code>XX:
-&gt; e
&lt;- e, ee, s, es
@@ -1476,7 +1489,7 @@ XXfallback:
-&gt; es, s
&lt;- se</code></pre></td>
</tr>
-<tr class="odd">
+<tr class="even">
<td><pre><code>KN:
-&gt; s
...
@@ -1489,7 +1502,7 @@ XXfallback:
&lt;- e, ee
-&gt; se</code></pre></td>
</tr>
-<tr class="even">
+<tr class="odd">
<td><pre><code>KK:
-&gt; s
&lt;- s
@@ -1519,7 +1532,7 @@ XXfallback:
&lt;- e, ee, es
-&gt; se</code></pre></td>
</tr>
-<tr class="odd">
+<tr class="even">
<td><pre><code>KX:
-&gt; s
...
@@ -1546,7 +1559,7 @@ XXfallback:
&lt;- e, ee, s
-&gt; se, es</code></pre></td>
</tr>
-<tr class="even">
+<tr class="odd">
<td><pre><code>IN:
-&gt; e, s
&lt;- e, ee, se</code></pre></td>
@@ -1555,7 +1568,7 @@ XXfallback:
&lt;- e, ee
-&gt; se</code></pre></td>
</tr>
-<tr class="odd">
+<tr class="even">
<td><pre><code>IK:
&lt;- s
...
@@ -1581,7 +1594,7 @@ XXfallback:
&lt;- e, ee, es
-&gt; se</code></pre></td>
</tr>
-<tr class="even">
+<tr class="odd">
<td><pre><code>IX:
-&gt; e, s
&lt;- e, ee, se, s, es</code></pre></td>
@@ -1602,6 +1615,225 @@ XXfallback:
</tr>
</tbody>
</table>
+
+<h2 id="security-properties-for-deferred-patterns">18.2. Security properties for deferred patterns</h2>
+<p>The following table lists the the security properties for the Noise handshake and transport payloads for all the deferred patterns in the previous section. The security properties are labelled using the notation from <a href="#payload-security-properties">Section 7.6</a>.</p>
+<table style="width:88%;">
+<colgroup>
+<col width="87%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td><pre><code> Source Destination</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>NK1
+ &lt;- s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, es 2 1
+ -&gt; 0 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>NX1
+ -&gt; e 0 0
+ &lt;- e, ee, s 0 1
+ -&gt; es 0 3
+ -&gt; 2 1
+ &lt;- 0 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>X1N
+ -&gt; e 0 0
+ &lt;- e, ee 0 1
+ -&gt; s 0 1
+ &lt;- se 0 3
+ -&gt; 2 1</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>X1K
+ &lt;- s
+ ...
+ -&gt; e, es 0 2
+ &lt;- e, ee 2 1
+ -&gt; s 0 5
+ &lt;- se 2 3
+ -&gt; 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>XK1
+ &lt;- s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, es 2 1
+ -&gt; s, se 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>X1K1
+ &lt;- s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, es 2 1
+ -&gt; s 0 5
+ &lt;- se 2 3
+ -&gt; 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>X1X
+ -&gt; e 0 0
+ &lt;- e, ee, s, es 2 1
+ -&gt; s 0 5
+ &lt;- se 2 3
+ -&gt; 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>XX1
+ -&gt; e 0 0
+ &lt;- e, ee, s 0 1
+ -&gt; es, s, se 2 3
+ &lt;- 2 5
+ -&gt; 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>X1X1
+ -&gt; e 0 0
+ &lt;- e, ee, s 0 1
+ -&gt; es, s 0 3
+ &lt;- se 2 3
+ -&gt; 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>K1N
+ -&gt; s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee 0 1
+ -&gt; se 2 1
+ &lt;- 0 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>K1K
+ -&gt; s
+ &lt;- s
+ ...
+ -&gt; e, es 0 2
+ &lt;- e, ee, se 2 1
+ -&gt; se 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>KK1
+ -&gt; s
+ &lt;- s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, se, es 2 3
+ -&gt; 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>K1K1
+ -&gt; s
+ &lt;- s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, es 2 1
+ -&gt; se 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>K1X
+ -&gt; s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, s, es 2 1
+ -&gt; se 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>KX1
+ -&gt; s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, se, s 0 3
+ -&gt; es 2 3
+ &lt;- 2 5
+ -&gt; 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>K1X1
+ -&gt; s
+ ...
+ -&gt; e 0 0
+ &lt;- e, ee, s 0 1
+ -&gt; se, es 2 3
+ &lt;- 2 5
+ -&gt; 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>I1N
+ -&gt; e, s 0 0
+ &lt;- e, ee 0 1
+ -&gt; se 2 1
+ &lt;- 0 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>I1K
+ &lt;- s
+ ...
+ -&gt; e, es, s 0 2
+ &lt;- e, ee 2 1
+ -&gt; se 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>IK1
+ &lt;- s
+ ...
+ -&gt; e, s 0 0
+ &lt;- e, ee, se, es 2 3
+ -&gt; 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>I1K1
+ &lt;- s
+ ...
+ -&gt; e, s 0 0
+ &lt;- e, ee, es 2 1
+ -&gt; se 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>I1X
+ -&gt; e, s 0 0
+ &lt;- e, ee, s, es 2 1
+ -&gt; se 2 5
+ &lt;- 2 5</code></pre></td>
+</tr>
+<tr class="odd">
+<td><pre><code>IX1
+ -&gt; e, s 0 0
+ &lt;- e, ee, se, s 0 3
+ -&gt; es 2 3
+ &lt;- 2 5
+ -&gt; 2 5</code></pre></td>
+</tr>
+<tr class="even">
+<td><pre><code>I1X1
+ -&gt; e, s 0 0
+ &lt;- e, ee, s 0 1
+ -&gt; se, es 2 3
+ &lt;- 2 5
+ -&gt; 2 5</code></pre></td>
+</tr>
+</tbody>
+</table>
<h1 id="references" class="unnumbered">19. References</h1>
<div id="refs" class="references">
<div id="ref-Rogaway:2002">
diff --git a/output/noise.pdf b/output/noise.pdf
index 7a1398c..e4197e1 100644
--- a/output/noise.pdf
+++ b/output/noise.pdf
Binary files differ
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.