diff options
author | trevnoise <noise@trevp.net> | 2018-05-28 23:44:41 +0000 |
---|---|---|
committer | trevnoise <noise@trevp.net> | 2018-05-28 23:44:41 +0000 |
commit | e9468bc4879b8006da5de9599e22b15731caf5e0 (patch) | |
tree | c54ce339e1bb9041d12f170497cec2c6df0024b4 | |
parent | Clean up text around negotiation data / rollback (diff) | |
download | noise-e9468bc4879b8006da5de9599e22b15731caf5e0.tar.xz noise-e9468bc4879b8006da5de9599e22b15731caf5e0.zip |
Add security properties tables
-rw-r--r-- | noise.md | 215 | ||||
-rw-r--r-- | output/noise.html | 262 | ||||
-rw-r--r-- | output/noise.pdf | bin | 379412 -> 382704 bytes |
3 files changed, 455 insertions, 22 deletions
@@ -883,7 +883,7 @@ Deferred patterns might be useful for several reasons: * Future extensions to Noise might be capable of replacing DH operations with signatures or KEM ciphertexts, but would only be able to do so if the sender is authenticating themselves (signatures) or the sender is authenticating the recipient (KEM ciphertexts). Thus every fundamental handshake pattern is only capable of having each authentication DH replaced with a signature *or* KEM ciphertext, but the deferred variants make both replacements possible. -Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 22 deferred handshake patterns are in the [Appendix](#deferred-patterns). +Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 23 deferred handshake patterns are in the [Appendix](#deferred-patterns). +---------------------------+--------------------------------+ | NK: | NK1: | @@ -1043,10 +1043,10 @@ received. | <- 2 5 | +--------------------------------------------------------------+ | XX | -| -> e 0 0 | -| <- e, ee, s, es 2 1 | -| -> s, se 2 5 | -| <- 2 5 | +| -> e 0 0 | +| <- e, ee, s, es 2 1 | +| -> s, se 2 5 | +| <- 2 5 | +--------------------------------------------------------------+ | KN | | -> s | @@ -2103,9 +2103,9 @@ versions. # 18. Appendices -# 18.1 Deferred patterns +## 18.1 Deferred patterns -The following table lists all 22 deferred handshake patterns in the right +The following table lists all 23 deferred handshake patterns in the right column, with their corresponding fundamental handshake pattern in the left column. See [Section 7](#handshake-patterns) for an explanation of fundamental and deferred patterns. @@ -2124,6 +2124,13 @@ fundamental and deferred patterns. | | -> es | | | | +---------------------------+--------------------------------+ +| XN: | X1N: | +| -> e | -> e | +| <- e, ee | <- e, ee | +| -> s, se | -> s | +| | <- se | +| | | ++---------------------------+--------------------------------+ | XK: | X1K: | | <- s | <- s | | ... | ... | @@ -2265,5 +2272,199 @@ fundamental and deferred patterns. | | | +---------------------------+--------------------------------+ +\newpage + +## 18.2. Security properties for deferred patterns + +The following table lists the the security properties for the Noise handshake +and transport payloads for all the deferred patterns in the previous section. +The security properties are labelled using the notation from [Section 7.6](#payload-security-properties). + ++--------------------------------------------------------------+ +| Source Destination | ++--------------------------------------------------------------+ +| NK1 | +| <- s | +| ... | +| -> e 0 0 | +| <- e, ee, es 2 1 | +| -> 0 5 | ++--------------------------------------------------------------+ +| NX1 | +| -> e 0 0 | +| <- e, ee, s 0 1 | +| -> es 0 3 | +| -> 2 1 | +| <- 0 5 | ++--------------------------------------------------------------+ +| X1N | +| -> e 0 0 | +| <- e, ee 0 1 | +| -> s 0 1 | +| <- se 0 3 | +| -> 2 1 | ++--------------------------------------------------------------+ +| X1K | +| <- s | +| ... | +| -> e, es 0 2 | +| <- e, ee 2 1 | +| -> s 0 5 | +| <- se 2 3 | +| -> 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| XK1 | +| <- s | +| ... | +| -> e 0 0 | +| <- e, ee, es 2 1 | +| -> s, se 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| X1K1 | +| <- s | +| ... | +| -> e 0 0 | +| <- e, ee, es 2 1 | +| -> s 0 5 | +| <- se 2 3 | +| -> 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| X1X | +| -> e 0 0 | +| <- e, ee, s, es 2 1 | +| -> s 0 5 | +| <- se 2 3 | +| -> 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| XX1 | +| -> e 0 0 | +| <- e, ee, s 0 1 | +| -> es, s, se 2 3 | +| <- 2 5 | +| -> 2 5 | ++--------------------------------------------------------------+ +| X1X1 | +| -> e 0 0 | +| <- e, ee, s 0 1 | +| -> es, s 0 3 | +| <- se 2 3 | +| -> 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| K1N | +| -> s | +| ... | +| -> e 0 0 | +| <- e, ee 0 1 | +| -> se 2 1 | +| <- 0 5 | ++--------------------------------------------------------------+ +| K1K | +| -> s | +| <- s | +| ... | +| -> e, es 0 2 | +| <- e, ee, se 2 1 | +| -> se 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| KK1 | +| -> s | +| <- s | +| ... | +| -> e 0 0 | +| <- e, ee, se, es 2 3 | +| -> 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| K1K1 | +| -> s | +| <- s | +| ... | +| -> e 0 0 | +| <- e, ee, es 2 1 | +| -> se 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| K1X | +| -> s | +| ... | +| -> e 0 0 | +| <- e, ee, s, es 2 1 | +| -> se 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| KX1 | +| -> s | +| ... | +| -> e 0 0 | +| <- e, ee, se, s 0 3 | +| -> es 2 3 | +| <- 2 5 | +| -> 2 5 | ++--------------------------------------------------------------+ +| K1X1 | +| -> s | +| ... | +| -> e 0 0 | +| <- e, ee, s 0 1 | +| -> se, es 2 3 | +| <- 2 5 | +| -> 2 5 | ++--------------------------------------------------------------+ +| I1N | +| -> e, s 0 0 | +| <- e, ee 0 1 | +| -> se 2 1 | +| <- 0 5 | ++--------------------------------------------------------------+ +| I1K | +| <- s | +| ... | +| -> e, es, s 0 2 | +| <- e, ee 2 1 | +| -> se 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| IK1 | +| <- s | +| ... | +| -> e, s 0 0 | +| <- e, ee, se, es 2 3 | +| -> 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| I1K1 | +| <- s | +| ... | +| -> e, s 0 0 | +| <- e, ee, es 2 1 | +| -> se 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| I1X | +| -> e, s 0 0 | +| <- e, ee, s, es 2 1 | +| -> se 2 5 | +| <- 2 5 | ++--------------------------------------------------------------+ +| IX1 | +| -> e, s 0 0 | +| <- e, ee, se, s 0 3 | +| -> es 2 3 | +| <- 2 5 | +| -> 2 5 | ++--------------------------------------------------------------+ +| I1X1 | +| -> e, s 0 0 | +| <- e, ee, s 0 1 | +| -> se, es 2 3 | +| <- 2 5 | +| -> 2 5 | ++--------------------------------------------------------------+ # 19. References diff --git a/output/noise.html b/output/noise.html index 6f7f85c..1ce146d 100644 --- a/output/noise.html +++ b/output/noise.html @@ -92,8 +92,10 @@ </ul></li> <li><a href="#ipr">16. IPR</a></li> <li><a href="#acknowledgements">17. Acknowledgements</a></li> -<li><a href="#appendices">18. Appendices</a></li> +<li><a href="#appendices">18. Appendices</a><ul> <li><a href="#deferred-patterns">18.1 Deferred patterns</a></li> +<li><a href="#security-properties-for-deferred-patterns">18.2. Security properties for deferred patterns</a></li> +</ul></li> <li><a href="#references">19. References</a></li> </ul> </div> @@ -557,7 +559,7 @@ KK: <li><p>In some cases, deferring authentication can improve the identity-hiding properties of the handshake (see <a href="#identity-hiding">Section 7.7</a>).</p></li> <li><p>Future extensions to Noise might be capable of replacing DH operations with signatures or KEM ciphertexts, but would only be able to do so if the sender is authenticating themselves (signatures) or the sender is authenticating the recipient (KEM ciphertexts). Thus every fundamental handshake pattern is only capable of having each authentication DH replaced with a signature <em>or</em> KEM ciphertext, but the deferred variants make both replacements possible.</p></li> </ul> -<p>Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 22 deferred handshake patterns are in the <a href="#deferred-patterns">Appendix</a>.</p> +<p>Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 23 deferred handshake patterns are in the <a href="#deferred-patterns">Appendix</a>.</p> <table style="width:85%;"> <colgroup> <col width="38%" /> @@ -674,10 +676,10 @@ KK: </tr> <tr class="even"> <td><pre><code>XX - -> e 0 0 - <- e, ee, s, es 2 1 - -> s, se 2 5 - <- 2 5</code></pre></td> + -> e 0 0 + <- e, ee, s, es 2 1 + -> s, se 2 5 + <- 2 5</code></pre></td> </tr> <tr class="odd"> <td><pre><code>KN @@ -1395,8 +1397,8 @@ XXfallback: <p>Jeremy Clark, Thomas Ristenpart, and Joe Bonneau gave feedback on earlier versions.</p> <h1 id="appendices">18. Appendices</h1> -<h1 id="deferred-patterns">18.1 Deferred patterns</h1> -<p>The following table lists all 22 deferred handshake patterns in the right column, with their corresponding fundamental handshake pattern in the left column. See <a href="#handshake-patterns">Section 7</a> for an explanation of fundamental and deferred patterns.</p> +<h2 id="deferred-patterns">18.1 Deferred patterns</h2> +<p>The following table lists all 23 deferred handshake patterns in the right column, with their corresponding fundamental handshake pattern in the left column. See <a href="#handshake-patterns">Section 7</a> for an explanation of fundamental and deferred patterns.</p> <table style="width:85%;"> <colgroup> <col width="38%" /> @@ -1425,6 +1427,17 @@ XXfallback: -> es</code></pre></td> </tr> <tr class="odd"> +<td><pre><code>XN: + -> e + <- e, ee + -> s, se</code></pre></td> +<td><pre><code> X1N: + -> e + <- e, ee + -> s + <- se</code></pre></td> +</tr> +<tr class="even"> <td><pre><code>XK: <- s ... @@ -1454,7 +1467,7 @@ XXfallback: -> s <- se</code></pre></td> </tr> -<tr class="even"> +<tr class="odd"> <td><pre><code>XX: -> e <- e, ee, s, es @@ -1476,7 +1489,7 @@ XXfallback: -> es, s <- se</code></pre></td> </tr> -<tr class="odd"> +<tr class="even"> <td><pre><code>KN: -> s ... @@ -1489,7 +1502,7 @@ XXfallback: <- e, ee -> se</code></pre></td> </tr> -<tr class="even"> +<tr class="odd"> <td><pre><code>KK: -> s <- s @@ -1519,7 +1532,7 @@ XXfallback: <- e, ee, es -> se</code></pre></td> </tr> -<tr class="odd"> +<tr class="even"> <td><pre><code>KX: -> s ... @@ -1546,7 +1559,7 @@ XXfallback: <- e, ee, s -> se, es</code></pre></td> </tr> -<tr class="even"> +<tr class="odd"> <td><pre><code>IN: -> e, s <- e, ee, se</code></pre></td> @@ -1555,7 +1568,7 @@ XXfallback: <- e, ee -> se</code></pre></td> </tr> -<tr class="odd"> +<tr class="even"> <td><pre><code>IK: <- s ... @@ -1581,7 +1594,7 @@ XXfallback: <- e, ee, es -> se</code></pre></td> </tr> -<tr class="even"> +<tr class="odd"> <td><pre><code>IX: -> e, s <- e, ee, se, s, es</code></pre></td> @@ -1602,6 +1615,225 @@ XXfallback: </tr> </tbody> </table> + +<h2 id="security-properties-for-deferred-patterns">18.2. Security properties for deferred patterns</h2> +<p>The following table lists the the security properties for the Noise handshake and transport payloads for all the deferred patterns in the previous section. The security properties are labelled using the notation from <a href="#payload-security-properties">Section 7.6</a>.</p> +<table style="width:88%;"> +<colgroup> +<col width="87%" /> +</colgroup> +<tbody> +<tr class="odd"> +<td><pre><code> Source Destination</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>NK1 + <- s + ... + -> e 0 0 + <- e, ee, es 2 1 + -> 0 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>NX1 + -> e 0 0 + <- e, ee, s 0 1 + -> es 0 3 + -> 2 1 + <- 0 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>X1N + -> e 0 0 + <- e, ee 0 1 + -> s 0 1 + <- se 0 3 + -> 2 1</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>X1K + <- s + ... + -> e, es 0 2 + <- e, ee 2 1 + -> s 0 5 + <- se 2 3 + -> 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>XK1 + <- s + ... + -> e 0 0 + <- e, ee, es 2 1 + -> s, se 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>X1K1 + <- s + ... + -> e 0 0 + <- e, ee, es 2 1 + -> s 0 5 + <- se 2 3 + -> 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>X1X + -> e 0 0 + <- e, ee, s, es 2 1 + -> s 0 5 + <- se 2 3 + -> 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>XX1 + -> e 0 0 + <- e, ee, s 0 1 + -> es, s, se 2 3 + <- 2 5 + -> 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>X1X1 + -> e 0 0 + <- e, ee, s 0 1 + -> es, s 0 3 + <- se 2 3 + -> 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>K1N + -> s + ... + -> e 0 0 + <- e, ee 0 1 + -> se 2 1 + <- 0 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>K1K + -> s + <- s + ... + -> e, es 0 2 + <- e, ee, se 2 1 + -> se 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>KK1 + -> s + <- s + ... + -> e 0 0 + <- e, ee, se, es 2 3 + -> 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>K1K1 + -> s + <- s + ... + -> e 0 0 + <- e, ee, es 2 1 + -> se 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>K1X + -> s + ... + -> e 0 0 + <- e, ee, s, es 2 1 + -> se 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>KX1 + -> s + ... + -> e 0 0 + <- e, ee, se, s 0 3 + -> es 2 3 + <- 2 5 + -> 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>K1X1 + -> s + ... + -> e 0 0 + <- e, ee, s 0 1 + -> se, es 2 3 + <- 2 5 + -> 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>I1N + -> e, s 0 0 + <- e, ee 0 1 + -> se 2 1 + <- 0 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>I1K + <- s + ... + -> e, es, s 0 2 + <- e, ee 2 1 + -> se 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>IK1 + <- s + ... + -> e, s 0 0 + <- e, ee, se, es 2 3 + -> 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>I1K1 + <- s + ... + -> e, s 0 0 + <- e, ee, es 2 1 + -> se 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>I1X + -> e, s 0 0 + <- e, ee, s, es 2 1 + -> se 2 5 + <- 2 5</code></pre></td> +</tr> +<tr class="odd"> +<td><pre><code>IX1 + -> e, s 0 0 + <- e, ee, se, s 0 3 + -> es 2 3 + <- 2 5 + -> 2 5</code></pre></td> +</tr> +<tr class="even"> +<td><pre><code>I1X1 + -> e, s 0 0 + <- e, ee, s 0 1 + -> se, es 2 3 + <- 2 5 + -> 2 5</code></pre></td> +</tr> +</tbody> +</table> <h1 id="references" class="unnumbered">19. References</h1> <div id="refs" class="references"> <div id="ref-Rogaway:2002"> diff --git a/output/noise.pdf b/output/noise.pdf Binary files differindex 7a1398c..e4197e1 100644 --- a/output/noise.pdf +++ b/output/noise.pdf |