Noise Protocol Framework. Trevor Perrin

Size: px

Start display at page:

Download "Noise Protocol Framework. Trevor Perrin"

Clifton Morton
6 years ago
Views:

1 Noise Protocol Framework Trevor Perrin

2 Cryptography Public Key (DH, RSA, ECC etc) Symmetric Key (AES etc)

3 AKE Authenticated Key Exchange (or Agreement) Goals Shared symmetric key Authentication Forward secrecy

4 AKE in practice TLS, QUIC, SSH, IPsec Tor (Ntor, obfsproxy) CurveCP, MinimaLT OTR, Pond, ZRTP, PGP, Signal Noise

5 AKE variations One-sided or mutual auth Pre-specified or post-specified peers Identity hiding Early encryption (0-RTT) Mix in pre-shared keys Key confirmation, deniability, efficiency,

6 AKE patterns Framework of AKE patterns Easy to analyze their properties Easy to select based on requirements Easy to instantiate and implement

7 AKE g x g y shared_key = g xy

8 Server Auth g x g y, [certificates,] signature shared_key = g xy

9 Mutual Auth g x g y, [certificates,] signature [certificates,] signature shared_key = g xy

10 Details g x (can x be reused?) g y, [certificates,] signature [certificates,] signature shared_key = g xy

11 Details g x (can x be reused?) g y, [certificates,] signature(?) [certificates,] signature(?) shared_key = g xy

12 Details g x (can x be reused?) g y, [certificates,] signature(?) [certificates,] signature(?) shared_key = H(g xy )

13 Details g x (one-time ephemeral) g y, [certificates,] signature(?) [certificates,] signature(?) shared_key = H(g xy )

14 Details g x (one-time ephemeral) g y, [certificates,] signature(h) [certificates,] signature(h) shared_key = H(g xy ) h = hash of handshake so far

15 Details g x (one-time ephemeral) g y, [certificates,] signature(h) [certificates,] signature(h) shared_key = Hash(g xy ) h = hash of handshake so far

16 Details g x (one-time ephemeral) g y, [certificates,] signature(h) [certificates,] signature(h) shared_key = Hash(g xy h) h = hash of handshake so far

17 Identity hiding g x (one-time ephemeral) g y,<dh>, [certificates,] signature(h) [certificates,] signature(h) shared_key = Hash(g xy h) h = hash of handshake so far

18 Simplifying g x (one-time ephemeral) g y, <DH>, [certificates,] signature(h) [certificates,] signature(h)

19 Simplifying e e, <DH>, [certificates,] signature(h) [certificates,] signature(h)

20 Simplifying e e, <DH>, [certificates,] signature [certificates,] signature

21 Simplifying e e, <DH>, s, signature s, signature

22 Simplifying e, [payload] e, <DH>, s, signature, [payload] s, signature, [payload]

23 Simplifying e e, <DH>, s, signature s, signature

24 Noise patterns e e, dhee, s, dhse s, dhse s i s r e i e r

25 Noise patterns e e, dhee, s, dhse s, dhse s i s r e i e r

26 Noise patterns e e, dhee, s, dhse s, dhse e: Send ephemeral public key s: Send static public key (encrypt if shared key exists) dh[send][recv]: Mix the specified DH into the shared key

27 MQV? e e, dhee, s s, MQV s i s r e i e r

28 Noise patterns (Ntor?) e e, dhee, dhse s i s r e i e r

29 0-RTT encryption e, dhes e, dhee s i s r e i e r

30 0-RTT + client auth e, dhes, s, dhss e, dhee, dhes s i s r e i e r

31 0-RTT encryption e, dhes e, dhee s i s r e i e r

32 0-RTT (QUIC?) e, dhee e, dhee, dhse s i s r e i e r e r '

33 0-RTT + client auth e, dhee, s, dhse e, dhee, dhse, dhes s i s r e i e r e r '

34 Public-key encryption e, dhes s i s r e i e r

35 Authenticated encryption e, dhes, dhss s i s r e i e r

36 Protocol names Noise_pattern_dh_cipher_hash Noise_XX_25519_AESGCM_SHA256 Noise_IK_448_ChaChaPoly_BLAKE2b Noise_NX_25519_AESGCM_BLAKE2s

37 Symmetric crypto Key derivation (KDF) Bind keys to context

38 Strategy Mix all secrets into a chaining key and encryption key Encrypt everything except ephemerals, once an encryption key is present Hash all transcript into handshake hash Authenticate handshake hash in all handshake encryptions

39 Symmetric state h ck k n h = handshake hash ck = chaining key k = encryption key n = encryption nonce (counter)

40 Hashing inputs h ck k n input HASH h h = HASH(h input)

41 Hashing inputs h ck k n input HASH h input HASH h

42 KDF h ck k n KDF input ck k 0 ck, k = HKDF(salt=ck, input)

43 KDF h ck k n KDF input ck k 0 temp = HMAC(ck, input) ck = HMAC(temp, 0x01) k = HMAC(temp, ck 0x02)

44 KDF h ck k n KDF input ck k 0 KDF input ck k 0

45 Handshake encryption h ck k n (associated data) ENCRYPT plaintext HASH ciphertext h n+1

46 Handshake decryption h ck k n (associated data) DECRYPT ciphertext HASH plaintext h n+1

47 h ck k n protocol name prologue e e, dhee, s, dhse s, dhse

48 e h ck k n protocol name prologue e payload e, dhee, s, dhse s, dhse

49 e h ck k n protocol name prologue e payload e e, dhee, s, dhse s, dhse

50 e e, dhee, s, dhse h ck k n 0 protocol name prologue e payload e dhee s, dhse

51 e e, dhee, s, dhse s, dhse h ck k decrypt n 0 protocol name prologue e payload e dhee s

52 e e, dhee, s, dhse s, dhse h ck k decrypt n 0 protocol name prologue e payload e dhee s 0 dhse

53 e e, dhee, s, dhse s, dhse h ck k decrypt n 0 protocol name prologue e payload e dhee s 0 dhse decrypt payload

54 e e, dhee, s, dhse s, dhse h ck k decrypt n 0 protocol name prologue e payload e dhee s 0 dhse decrypt payload encrypt 1 s

55 e h ck k n protocol name prologue e payload e dhee e, dhee, s, dhse decrypt 0 s s, dhse 0 dhse decrypt payload encrypt 1 s 0 dhse

56 e h ck k n protocol name prologue e payload e dhee e, dhee, s, dhse decrypt 0 0 s dhse s, dhse decrypt payload encrypt 1 s 0 dhse encrypt payload

57 e h ck k decrypt n 0 protocol name prologue e payload e dhee s e, dhee, s, dhse 0 dhse decrypt payload s, dhse encrypt 1 s 0 dhse encrypt payload <split> SEND RECV

58 The future? Find more users Get more analysis New patterns and crypto functions Extend the language, new symmetric crypto?

L13. Reviews. Rocky K. C. Chang, April 10, 2015

L13. Reviews. Rocky K. C. Chang, April 10, 2015 L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing