Noise Protocol Framework

Last updated

The Noise Protocol Framework, sometimes known as Noise or Noise Framework, allows for the design of secure channel protocols between two parties. Compared to TLS 1.3, the Noise Framework (described in the public-domain Specification [1] ) allows the selection of a handshake pattern and cryptographic algorithms to produce a concrete protocol having the most appropriate cryptographic properties and tradeoffs for the task at hand, e.g. RTT behavior. Noise is the basis of some protocols with significant deployment such as Slack's Nebula, [2] WhatsApp and WireGuard.

Contents

Overview

A secure channel protocol has two phases:

The handshake pattern can be described in a diagram as a set of messages, each annotated with a list of tokens that describe cryptographic operations performed on a party's handshake state.

 Example handshake pattern having 3 messages:
 IK
        <- s
        ...
        ->e, es, s, ss
        <- e, ee, se

 Handshake names are formulaic:

 The line(s) before ... represent a message prior to DH AKE such as an out-of-band transfer of a public key.

The specification lists three one-way handshake patterns, and 12 fundamental interactive handshake patterns. There are variations of some of these:

A real world example comes from WireGuard whose Construction on page 10 of the Whitepaper is Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s.

Each handshake pattern can be combined with one of the 16 combination of the 8 cryptographic algorithms listed in the Specification. As those algorithms are of comparable quality and do not enlarge the design space.

The Specification outlines an API in §5 [4] using the following objects each having a small set of methods:

The implementation of a concrete protocol involves the design of message representation, as well as aspects outside the Noise Framework. An example of the latter happens with protocols using UDP transports, such as WireGuard which uses a sliding window to handle out-of-order arrival.

Security properties of several handshake patterns are described in the Specification and can support mutual authentication, forward secrecy, zero round-trip encryption, identity hiding and other advanced features . Formal cryptographic analyses of common handshake patterns have appeared in the academic literature. [5] [6] The second effort has resulted in the online tool Noise Explorer. [7]

Much of the following consists of excerpts from the Specification with formatting:

with the focus on:

Background

The framework was developed by Trevor Perrin with support from Moxie Marlinspike based on work done at Open Whisper Systems.

Why "Noise"

"Noise" refers to one of the design rationales: [8]

Ciphertexts are required to be indistinguishable from random because:

This makes Noise protocols easier to use with random padding (for length-hiding), or for censorship-resistant "unfingerprintable" protocols, or with Steganography. However note that ephemeral keys are likely to be distinguishable from random unless a technique such as Elligator is used. [9]

Possibly also a pun on Signal (software).

DH Based Protocols (from RWC 2018 talk)

Most secure channel protocols use an AKE based on signatures (for authentication) and Diffie-Hellman (for key exchange). In last 10–15 years, growing interest in DH-based AKEs (without signatures).

Elegant, but each protocol starts from scratch

Development

The initial commit for the Specification was on Aug 4, 2014 [16] and underwent many changes following discussion on the mailing list until rev34 on Jul 11, 2018. [17] NB originally maintained in Wiki starting from 10-Feb-2013. [18]

Protocol Names and Modifiers §8

To produce a Noise Protocol name for Initialize() you concatenate the ASCII string Noise_ with four underscore-separated name sections which sequentially name the handshake pattern, the DH functions, the cipher functions, and then the hash functions. The resulting name must be 255 bytes or less. [19] Examples:

Each name section must consist only of alphanumeric characters (i.e. characters in one of the ranges "A"..."Z", "a"..."z", and "0"..."9"), and the two special characters "+" and "/".

Additional rules apply to each name section, as specified below.

Handshake pattern name section §8.1

A handshake pattern name section contains a handshake pattern name plus a sequence of zero or more pattern modifiers. [20]

The handshake pattern name must be an uppercase ASCII string containing only alphabetic characters or numerals (e.g. XX1 or IK).

Pattern modifiers specify arbitrary extensions or modifications to the behavior specified by the handshake pattern. For example, a modifier could be applied to a handshake pattern which transforms it into a different pattern according to some rule. The psk0 and fallback modifiers are examples of this, and will be defined later in this document.

A pattern modifier is named with a lowercase alphanumeric ASCII string which must begin with an alphabetic character (not a numeral). The pattern modifier is appended to the base pattern as described below:

The first modifier added onto a base pattern is simply appended. Thus the fallback modifier, when added to the XX pattern, produces XXfallback. Additional modifiers are separated with a plus sign. Thus, adding the psk0 modifier would result in the name section XXfallback+psk0, or a full protocol name such as Noise_XXfallback+psk0_25519_AESGCM_SHA256.

In some cases the sequential ordering of modifiers will specify different protocols. However, if the order of some modifiers does not matter, then they are required to be sorted alphabetically (this is an arbitrary convention to ensure interoperability).

Cryptographic algorithm name sections §8.2

The rules for the DH, cipher, and hash name sections are identical. Each name section must contain one or more algorithm names separated by plus signs. [21]

Each algorithm name must consist solely of alphanumeric characters and the forward-slash character ("/"). Algorithm names are recommended to be short, and to use the "/" character only when necessary to avoid ambiguity (e.g. SHA3/256 is preferable to SHA3256).

In most cases there will be a single algorithm name in each name section (i.e. no plus signs). Multiple algorithm names are only used when called for by the pattern or a modifier.

None of the patterns or modifiers in this document require multiple algorithm names in any name section. However, this functionality might be useful in future extensions. For example, multiple algorithm names might be used in the DH section to specify "hybrid" post-quantum forward secrecy; or multiple hash algorithms might be specified for different purposes.

Cryptographic Algorithms, §12

The Specification lists 8 modern algorithms with the following names. [22] [23]

Diffie-Hellman Functions
25519 Curve25519
448 Curve448
Cipher Functions
ChaChaPoly ChaCha20-Poly1305
AESGCM Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
Hash Functions
SHA256 SHA256
SHA512 SHA512
BLAKE2s BLAKE2s
BLAKE2b BLAKE2b

The Wiki has this list of unofficial algorithms; [24] I've omitted the Post-Quantum ones as the entries pre-date the NIST Post-Quantum Cryptography Standardization effort starting in 2016 with the first three Post Quantum Crypto Standards: FIPS 203, FIP 204, and FIP 205 in 2024.

Here we[ who? ] document some names which could be used for nonstandard algorithms, so that experimental use of these algorithms could use consistent names (NOTE: None of these algorithms are endorsed for use with Noise, use at your own risk).

Diffie-Hellman Functions
secp256k1secp256k1, [25] used by Lightning
FourQFourQ [26]
NIST P256P-256 [27]
NIST P384P-384 [28]
NIST P521P-521 [29]
Cipher Functions
DeoxysIIused by Nyquist
AESGCMSIV AES-GCM-SIV
AESPMACSIV AES-GCM-SIV
KravatteKravatte [30]
KravatteSIVKravatte-SIV [31]
Hash Functions
SHA3/256 SHA-3#Instances
SHA3/512 SHA-3#Instances
SHAKE128 SHA-3#Instances (HASHLEN=32)
SHAKE256 SHA-3#Instances (HASHLEN=64)
K12Kangaroo12 [32]
M14Marsupilami14 [33]

Prologue §6

Noise Protocols have a prologue input which allows arbitrary data to be hashed into the h variable. If both parties do not provide identical prologue data, the handshake will fail due to a decryption error. This is useful when the parties engaged in negotiation prior to the handshake and want to ensure they share identical views of that negotiation. [34]

For example, suppose Bob communicates to Alice a list of Noise Protocols that he is willing to support. Alice will then choose and execute a single protocol. To ensure that a "man-in-the-middle" did not edit Bob's list to remove options, Alice and Bob could include the list as prologue data.

Note that while the parties confirm their prologues are identical, they don't mix prologue data into encryption keys. If an input contains secret data that's intended to strengthen the encryption, a PSK handshake should be used instead (see §9).

Handshake patterns

Handshake Patterns: 3 One-Way §7.4

The following handshake patterns represent "one-way" handshakes supporting a one-way stream of data from a sender to a recipient. These patterns could be used to encrypt files, database records, or other non-interactive data streams. [35]

Following a one-way handshake the sender can send a stream of transport messages, encrypting them using the first CipherState returned by Split() The second CipherState from Split() is discarded - the recipient must not send any messages using it (as this would violate the rules in §7.3).

One-way patterns are named with a single character, which indicates the status of the sender's static key:

N:

 <- s  ...  -> e, es

K:

 -> s  <- s  ...  -> e, es, ss

X:

 <- s  ...  -> e, es, s, ss

N is a conventional DH-based public-key encryption. The other patterns add sender authentication, where the sender's public key is either known to the recipient beforehand (K) or transmitted under encryption (X).

Handshake Patterns, 12 Fundamental Interactive §7.5

The following handshake patterns represent interactive protocols. These 12 patterns are called the "fundamental" interactive handshake patterns. [36]

The fundamental interactive patterns are named with two characters, which indicate the status of the initiator and responder's static keys:

The first character refers to the initiator's static key:

The second character refers to the responder's static key:

NN
00#1        -> e
01#2        <- e, ee
01#3        ->
NK
#1        <- s
          ...
02#2        -> e, es
21#3        <- e, ee
05#4        ->
NX
00#1        -> e
21#2        <- e, ee, s, es
05#3        ->
XN
00#1        -> e
01#2        <- e, ee
21#3        -> s, se
05#4        <-
XK
#1        <- s
          ...
02#2        -> e, es
21#3        <- e, ee
25#4        -> s, se
25#5        <-
XX
00#1        -> e
21#2        <- e, ee, s, es
25#3        -> s, se
25#4        <-
KN
#1        -> s
          ...
00#2        -> e
03#3        <- e, ee, se
21#4        ->
05#5        <-
KK
#1        -> s
#2        <- s
          ...
12#3        -> e, es, ss
24#4        <- e, ee, se
25#5        ->
25#6        <-
KX
#1        -> s
          ...
00#2        -> e
23#3        <- e, ee, se, s, es
25#4        ->
25#5        <-
IN
00#1        -> e, s
03#2        <- e, ee, se
21#3        ->
05#4        <-
IK
#1        <- s
          ...
12#2        -> e, es, s, ss
24#3        <- e, ee, se
25#4        ->
25#5        <-
IX
00#1        -> e, s
23#2        <- e, ee, se, s, es
25#3        ->
25#4        <-

The first two columns in the table above, prior to each message pattern, lists the security properties for Noise handshake and transport payloads for all the one-way patterns in §7.4 and the fundamental patterns in §7.5. Each payload is assigned a "source" property regarding the degree of authentication of the sender provided to the recipient, and a "destination" property regarding the degree of confidentiality provided to the sender.

For the sender:

Used by: IN#1, IN#2, IN#4, IX#1, KN#2, KN#3, KN#5, KX#2, NK#2, NK#4, NN#1, NN#2, NN#3, NX#1, NX#3, XK#2, XN#1, XN#2, XN#4, XX#1

Used by: IK#2, IN#3, KK#3, KN#4, NK#3, NN#2, NN#3, NX#2, XK#3, XN#2, XN#3, XX#2

Used by: IK#2, IK#3, IK#4, IK#5, IN#3, IX#2, IX#3, IX#4, KK#3, KK#4, KK#5, KK#6, KN#4, KX#3, KX#4, KX#5, NK#2, NK#3, NX#2, XK#2, XK#3, XK#4, XK#5, XN#3, XX#2, XX#3, XX#4

For the recipient:

Used by: IN#1, IN#2, IN#4, IX#1, KN#2, KN#3, KN#5, KX#2, NK#2, NK#4, NN#1, NN#2, NN#3, NX#1, NX#3, XK#2, XN#1, XN#2, XN#4, XX#1

Used by: IK#2, IN#3, KK#3, KN#4, NK#3, NN#2, NN#3, NX#2, XK#3, XN#2, XN#3, XX#2

Used by: IK#2, IK#3, IK#4, IK#5, IN#3, IX#2, IX#3, IX#4, KK#3, KK#4, KK#5, KK#6, KN#4, KX#3, KX#4, KX#5, NK#2, NK#3, NX#2, XK#2, XK#3, XK#4, XK#5, XN#3, XX#2, XX#3, XX#4

Used by: IN#2, IX#2, KN#3, KX#3

Used by: IK#3, KK#4

Used by: IK#4, IK#5, IN#4, IX#3, IX#4, KK#5, KK#6, KN#5, KX#4, KX#5, NK#4, NX#3, XK#4, XK#5, XN#4, XX#3, XX#4

Identity-Hiding Property of Common Patterns §7.8

The following table lists the identity-hiding properties for all the one-way handshake patterns in §7.4 and the fundamental handshake patterns in §7.5. In addition, we list a few deferred handshake patterns which have different identity-hiding properties than the corresponding fundamental pattern. [37]

Each pattern is assigned properties describing the confidentiality supplied to the initiator's static public key, and to the responder's static public key. The underlying assumptions are that ephemeral private keys are secure, and that parties abort the handshake if they receive a static public key from the other party which they don't trust.

This section only considers identity leakage through static public key fields in handshakes. Of course, the identities of Noise participants might be exposed through other means, including payload fields, traffic analysis, or metadata such as IP addresses.

InitiatorResponder
N-3
K55
X43
NN--
NK-3
NK1-9
NX-1
XN2-
XK83
XK189
XX81
KN7-
KK55
KX76
IN0-
IK43
IK109
IX06

The properties for the relevant public key are:

Handshake Patterns: Interactive, Deferred §7.6

The fundamental handshake patterns in the previous section perform DH operations for authentication (es and se) as early as possible. [38]

An additional set of handshake patterns can be described which defer these authentication DHs to the next message. To name these deferred handshake patterns, the numeral 1 is used after the first and/or second character in a fundamental pattern name to indicate that the initiator and/or responder's authentication DH is deferred to the next message.

Deferred patterns might be useful for several reasons:

Below are two examples showing a fundamental handshake pattern on the left, and deferred variant(s) on the right. The full set of 23 deferred handshake patterns are in the Appendix §18. [39]

NKNK1
    <- s    <- s
    ...    ...
    ->e, es    ->e
    ->e, ee   ->e, ee, es
XXX1X
    ->e     ->e
    <- e, ee, s, es     <- e, ee, s, es
    ->s, se     ->s
         <- se
XX1
         ->e
         <- e, ee, s
         ->es, s, se
X1X1
         ->e
         <- e, ee, s
         ->es, s
         <- se

Handshake Patterns: Compound §10

[40]

Rationale for compound protocols §10.1

So far we've assumed Alice and Bob wish to execute a single Noise Protocol chosen by the initiator (Alice). However, there are a number of reasons why Bob might wish to switch to a different Noise Protocol after receiving Alice's first message. For example: [41]

Alice might have chosen a Noise Protocol based on a cipher, DH function, or handshake pattern which Bob doesn't support.

Alice might have sent a "zero-RTT" encrypted initial message based on an out-of-date version of Bob's static public key or PSK.

Handling these scenarios requires a compound protocol where Bob switches from the initial Noise Protocol chosen by Alice to a new Noise Protocol. In such a compound protocol the roles of initiator and responder would be reversed - Bob would become the initiator of the new Noise Protocol, and Alice the responder.

Compound protocols introduce significant complexity as Alice needs to advertise the Noise Protocol she is beginning with and the Noise Protocol(s) she is capable of switching to, and both parties have to negotiate a secure transition.

These details are largely out of scope for this document. However, to give an example of how compound protocols can be constructed, and to provide some building blocks, the following sections define a fallback modifier and show how it can be used to create a Noise Pipe compound protocol.

Noise Pipes support the XX pattern, but also allow Alice to cache Bob's static public key and attempt an IK handshake with 0-RTT encryption.

In case Bob can't decrypt Alice's initial IK message, he will switch to the XXfallback pattern, which essentially allows the parties to complete an XX handshake as if Alice had sent an XX initial message instead of an IK initial message.

The fallback modifier §10.2

The fallback modifier converts an Alice-initiated pattern to a Bob-initiated pattern by converting Alice's initial message to a pre-message that Bob must receive through some other means (e.g. via an initial IK message from Alice). After this conversion, the rest of the handshake pattern is interpreted as a Bob-initiated handshake pattern. [42]

For example, here is the fallback modifier applied to XX to produce XXfallback:

XX: 

 -> e  <- e, ee, s, es  -> s, se

XXfallback: 

 -> e  ...  <- e, ee, s, es  -> s, se

Note that fallback can only be applied to handshake patterns in Alice-initiated form where Alice's first message is capable of being interpreted as a pre-message (i.e. it must be either e, s, or "e, s").

Zero-RTT and Noise Protocols §10.3

A typical compound protocol for zero-RTT encryption involves three different Noise Protocols: [43]

  • A full protocol is used if Alice doesn't possess stored information about Bob that would enable zero-RTT encryption, or doesn't wish to use the zero-RTT handshake.
  • A zero-RTT protocol allows encryption of data in the initial message.
  • A switch protocol is triggered by Bob if he can't decrypt Alice's first zero-RTT handshake message.

There must be some way for Bob to distinguish the full versus zero-RTT cases on receiving the first message. If Alice makes a zero-RTT attempt, there must be some way for her to distinguish the zero-RTT versus switch cases on receiving the response.

For example, each handshake message could be preceded by some negotiation data, such as a type byte (see §13). This data is not part of the Noise message proper, but signals which Noise Protocol is being used.

Noise Pipes §10.4

This section defines the Noise Pipe compound protocol. The following handshake patterns satisfy the full, zero-RTT, and switch roles discussed in the previous section, so can be used to provide a full handshake with a simple zero-RTT option: [3]

XX: 

 -> e  <- e, ee, s, es  -> s, se

IK: 

 <- s                       ...  -> e, es, s, ss  <- e, ee, se

XXfallback: 

 -> e  ...  <- e, ee, s, es  -> s, se

The XX pattern is used for a full handshake if the parties haven't communicated before, after which Alice can cache Bob's static public key.

The IK pattern is used for a zero-RTT handshake.

The XXfallback pattern is used for a switch handshake if Bob fails to decrypt an initial IK message (perhaps due to having changed his static key).

NoiseLingo negotiation language on top of NoiseSocket

Email from Trevor Perrin on 4-Mar-2018 [44]

I've created a draft spec for an "NLS" framework that adds a negotiation language ("NoiseLingo") on top of NoiseSocket (hence "NoiseLingoSocket"). This is based on ideas from 1. [45]

This needs a tweaked NoiseSocket draft, with modifications from 2 [46] (renaming a couple things, and changing the prologue calculation to differentiate the "retry" case, and to add an application prologue):

  • The NLS Framework [47]
  • The NoiseSocket Protocol [48]

The NLS draft also defines some "basic profiles", which are intended as high-level protocols usable by application developers:

  • NoiseLink (1-RTT handshake)
  • NoiseZeroLink (0-RTT handshake)
  • NoiseShortLink (for low-end embedded)
  • NoiseAnonBox (public-key encryption)
  • NoseAuthBox (public-key encryption + sender auth)

The idea is that NoiseLingo and NLS give you a menu of negotiation fields that are easy to choose from to create profiles. Also, these profiles will have a lot of similarity and thus potential for interop (e.g. a NoiseZeroLink client can talk to a NoiseLink server, by falling back to 1-RTT). And if you start with something simple like NoiseLink, it's easy to add new NLS fields and negotiation options as you discover new needs.

Application responsibilities §13

An application built on Noise must consider several issues: [49]

Security considerations §14

This section collects various security considerations: [50]

Implementations

LanguageName
CNoise-C [51]
C#Noise.NET [52]
CLInoisecat [53]
Erlangnoise [54]
JavaNoise-Java [55]
JavaScript/WASMnoise-c.wasm [56] (from Noise-C)
Haskellcacophony [57]
Gonoise [58]
Gonyquist [59]
GoNoisePlugAndPlay [60]
Objective-CNoise.framework [61] (macOS and iOS compatible framework, Swift friendly)
Pythonnoiseprotocol [62]
PythonDissononce [63]
Racketnoise-protocol [61]
RubyNoise [64]
RustSnow [65]
RustNoise-Rust [66]

Concrete protocols

Comparison to TLS1.3

The development of the Noise framework and TLS 1.3 both spanned the period between 2014 and 2018. The first draft of RFC 8446 [69] was in August 2014, culminating in the release of the Proposed Standard in August 2018 after 28 drafts. There was a short thread [70] on the mailing-list with a comparison to the OPTLS proposal. [71]

See also

Some other uses of noise in the general cryptographic sense:

Related Research Articles

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely generating a symmetric cryptographic key over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security. There are many kinds of public-key cryptosystems, with different security goals, including digital signature, Diffie-Hellman key exchange, public-key key encapsulation, and public-key encryption.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, to confirm that the message came from the stated sender and has not been changed. The MAC value allows verifiers to detect any changes to the message content.

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

<span class="mw-page-title-main">Forward secrecy</span> Practice in cryptography

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

The Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications. It was developed by a small team of Internet Protocol and cryptographic experts from Cisco and Ericsson. It was first published by the IETF in March 2004 as RFC 3711.

A cryptographic key is a string of data that is used to lock or unlock cryptographic functions, including authentication, authorization and encryption. Cryptographic keys are grouped into cryptographic key types according to the functions they perform.

Multimedia Internet KEYing (MIKEY) is a key management protocol that is intended for use with real-time applications. It can specifically be used to set up encryption keys for multimedia sessions that are secured using SRTP, the security protocol commonly used for securing real-time communications such as VoIP.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam.

<span class="mw-page-title-main">Cryptographic nonce</span> Concept in cryptography

In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that each communication session is unique, and therefore that old communications cannot be reused in replay attacks. Nonces can also be useful as initialization vectors and in cryptographic hash functions.

In cryptography, a three-pass protocol for sending messages is a framework which allows one party to securely send a message to a second party without the need to exchange or distribute encryption keys. Such message protocols should not be confused with various other algorithms which use 3 passes for authentication.

Kerberized Internet Negotiation of Keys (KINK) is a protocol defined in RFC 4430 used to set up an IPsec security association (SA), similar to Internet Key Exchange (IKE), utilizing the Kerberos protocol to allow trusted third parties to handle authentication of peers and management of security policies in a centralized fashion.

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

<span class="mw-page-title-main">Double Ratchet Algorithm</span> Cryptographic key management algorithm

In cryptography, the Double Ratchet Algorithm is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike in 2013. It can be used as part of a cryptographic protocol to provide end-to-end encryption for instant messaging. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the Diffie–Hellman key exchange (DH) and a ratchet based on a key derivation function (KDF), such as a hash function, and is therefore called a double ratchet.

<span class="mw-page-title-main">Signal Protocol</span> Non-federated cryptographic protocol

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Google Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

Application Layer Transport Security (ALTS) is a Google-developed authentication and transport encryption system used for securing remote procedure call (RPC) within Google machines. Google started its development in 2023, as a tailored modification of TLS.

References

  1. "The Noise Protocol Framework - IPR". noiseprotocol.org. Retrieved 2024-12-15.
  2. 1 2 slackhq/nebula, Slack, 2024-12-15, retrieved 2024-12-15
  3. 1 2 "The Noise Protocol Framework - Noise Pipes". noiseprotocol.org. Retrieved 2024-12-15.
  4. "The Noise Protocol Framework - Processing rules". noiseprotocol.org. Retrieved 2024-12-15.
  5. Dowling, Benjamin; Rösler, Paul; Schwenk, Jörg (2020), "Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework", Lecture Notes in Computer Science, Cham: Springer International Publishing, pp. 341–373, doi:10.1007/978-3-030-45374-9_12, hdl: 20.500.11850/399156 , ISBN   978-3-030-45373-2 , retrieved 2024-05-17
  6. Kobeissi, Nadim; Nicolas, Georgio; Bhargavan, Karthikeyan (June 2019). "Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols". 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE. pp. 356–370. doi:10.1109/eurosp.2019.00034. ISBN   978-1-7281-1148-3.
  7. "Noise Explorer: Explore Patterns". noiseexplorer.com. Retrieved 2024-12-15.
  8. "The Noise Protocol Framework - Rationales". noiseprotocol.org. Retrieved 2024-12-15.
  9. "Elligator". elligator.org. Retrieved 2024-12-15.
  10. Chen, Liqun; Kudla, Caroline; Paterson, Kenneth G. (2004). "Concurrent Signatures". In Cachin, Christian; Camenisch, Jan L. (eds.). Advances in Cryptology - EUROCRYPT 2004. Lecture Notes in Computer Science. Vol. 3027. Berlin, Heidelberg: Springer. pp. 287–305. doi:10.1007/978-3-540-24676-3_18. ISBN   978-3-540-24676-3.
  11. "Stronger Security of Authenticated Key Exchange" (PDF). Microsoft.
  12. 1 2 "Anonymity and one-way authentication in key exchange protocols" (PDF). cacr.uwaterloo.ca.
  13. "OPTLS and TLS 1.3" (PDF). www.ndss-symposium.org.
  14. "Mike Hamburg". iacr.org. Retrieved 2024-12-15.
  15. "The Strobe Protocol Framework". www.cryptologie.net. Retrieved 2024-12-15.
  16. "Adding work in progress spec. · noiseprotocol/noise_spec@213237c". GitHub. Retrieved 2024-12-15.
  17. "rev34draft -> rev34 · noiseprotocol/noise_spec@ecdf084". GitHub. Retrieved 2024-12-15.
  18. "Home". GitHub. Retrieved 2024-12-15.
  19. "The Noise Protocol Framework - Protocol names and modifiers". noiseprotocol.org. Retrieved 2024-12-15.
  20. "The Noise Protocol Framework - Handshake pattern name section". noiseprotocol.org. Retrieved 2024-12-15.
  21. "The Noise Protocol Framework - Cryptographic algorithm name sections". noiseprotocol.org. Retrieved 2024-12-15.
  22. "The Noise Protocol Framework - DH functions, cipher functions, and hash functions". noiseprotocol.org. Retrieved 2024-12-15.
  23. "The Noise Protocol Framework - Crypto functions". noiseprotocol.org. Retrieved 2024-12-15.
  24. "Unofficial crypto algorithms list". GitHub. Retrieved 2024-12-15.
  25. "secp256k1". neuromancer.sk. Retrieved 2024-12-15.
  26. "FourQ". neuromancer.sk. Retrieved 2024-12-15.
  27. "P-256". neuromancer.sk. Retrieved 2024-12-15.
  28. "P-384". neuromancer.sk. Retrieved 2024-12-15.
  29. "P-521". neuromancer.sk. Retrieved 2024-12-15.
  30. "Kravatte". keccak.team. Retrieved 2024-12-15.
  31. "Keccak Team". keccak.team. Retrieved 2024-12-15.
  32. "KangarooTwelve: fast hashing based on Keccak-p". keccak.team. Retrieved 2024-12-15.
  33. "Why does KangarooTwelve only use 12 rounds?". Cryptography Stack Exchange. Retrieved 2024-12-15.
  34. "The Noise Protocol Framework - Prologue". noiseprotocol.org. Retrieved 2024-12-15.
  35. "The Noise Protocol Framework - One-way handshake patterns". noiseprotocol.org. Retrieved 2024-12-15.
  36. "The Noise Protocol Framework - Interactive handshake patterns (fundamental)". noiseprotocol.org. Retrieved 2024-12-15.
  37. "The Noise Protocol Framework - Identity hiding". noiseprotocol.org. Retrieved 2024-12-15.
  38. "The Noise Protocol Framework - Interactive handshake patterns (deferred)". noiseprotocol.org. Retrieved 2024-12-15.
  39. "The Noise Protocol Framework - Appendices". noiseprotocol.org. Retrieved 2024-12-15.
  40. "The Noise Protocol Framework - Compound protocols". noiseprotocol.org. Retrieved 2024-12-15.
  41. "The Noise Protocol Framework - Rationale for compound protocols". noiseprotocol.org. Retrieved 2024-12-15.
  42. "The Noise Protocol Framework - The fallback modifier". noiseprotocol.org. Retrieved 2024-12-15.
  43. "The Noise Protocol Framework - Zero-RTT and Noise protocols". noiseprotocol.org. Retrieved 2024-12-15.
  44. "[noise] NLS?". moderncrypto.org. Retrieved 2024-12-15.
  45. "[noise] NoiseLink customization". moderncrypto.org. Retrieved 2024-12-15.
  46. "[noise] Document status and plans". moderncrypto.org. Retrieved 2024-12-15.
  47. "nls_spec/output/nls.pdf at master · noiseprotocol/nls_spec" (PDF). GitHub. Retrieved 2024-12-15.
  48. "noisesocket_spec/output/noisesocket.pdf at master · noiseprotocol/noisesocket_spec" (PDF). GitHub. Retrieved 2024-12-15.
  49. "The Noise Protocol Framework - Application responsibilities". noiseprotocol.org. Retrieved 2024-12-15.
  50. "The Noise Protocol Framework - Security considerations". noiseprotocol.org. Retrieved 2024-12-15.
  51. rweather (2024-12-07), rweather/noise-c , retrieved 2024-12-15
  52. Mijailovic, Nemanja (2024-11-18), Metalnem/noise , retrieved 2024-12-15
  53. Giacomo, Gerardo Di (2024-11-16), gedigi/noisecat , retrieved 2024-12-15
  54. aeternity/enoise, æternity, 2024-09-14, retrieved 2024-12-15
  55. rweather (2024-11-27), rweather/noise-java , retrieved 2024-12-15
  56. Mokrynskyi, Nazar (2024-05-17), nazar-pc/noise-c.wasm , retrieved 2024-12-15
  57. haskell-cryptography/cacophony, Haskell Cryptography Group, 2024-09-23, retrieved 2024-12-15
  58. flynn/noise, Flynn, 2024-12-02, retrieved 2024-12-15
  59. Angel, Yawning (2024-11-26), Yawning/nyquist , retrieved 2024-12-15
  60. "NoiseGo/noise at master · mimoo/NoiseGo". GitHub. Retrieved 2024-12-15.
  61. 1 2 OuterCorner/Noise, Outer Corner, 2024-11-18, retrieved 2024-12-15
  62. Lizończyk, Piotr (2024-12-07), plizonczyk/noiseprotocol , retrieved 2024-12-15
  63. Tarek (2024-11-12), tgalal/dissononce , retrieved 2024-12-15
  64. Yamaguchi (2024-06-28), Yamaguchi/noise , retrieved 2024-12-15
  65. McGinty, Jake (2024-12-15), mcginty/snow , retrieved 2024-12-15
  66. Guanhao, Yin (2024-12-05), blckngm/noise-rust , retrieved 2024-12-15
  67. Victor (2024-12-02). "David Marcus Reveals Why Libra Was Shut Down". Altcoin Buzz. Retrieved 2024-12-15.
  68. Hall-Andersen, Mathias; Wong, David; Sullivan, Nick; Chator, Alishah (2019), nQUIC: Noise-Based QUIC Packet Protection , retrieved 2024-12-15
  69. Rescorla, Eric (August 2018). The Transport Layer Security (TLS) Protocol Version 1.3 (Report). Internet Engineering Task Force.
  70. "[noise] TLS 1.3". moderncrypto.org. Retrieved 2024-12-15.
  71. "The OPTLS Protocol and TLS 1.3" (PDF). eprint.iacr.org. 2015-10-09.

Presentations:

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.