* Nonce in out-of-order messages
@ 2019-07-24 10:05 Hristo Georgiev
2019-08-25 15:56 ` Jason A. Donenfeld
0 siblings, 1 reply; 3+ messages in thread
From: Hristo Georgiev @ 2019-07-24 10:05 UTC (permalink / raw)
To: wireguard
Hello
I’m working on file transfer protocol inspired by Noise and Wireguard over UDP with static keys so the handshake pattern is going to be Noise_IK_25519_ChaChaPoly_BLAKE2s or KK. In general i’m trying to follow NoiseSocket spec but adapted to UDP and i was wondering where to place the ‘nonce’ into packet to extend the protocol as described into p.11.4 in NoiseProtocol spec http://www.noiseprotocol.org/noise.html#out-of-order-transport-messages . So I had a look into WireGuard implementation (which I use a lot in multiple sites, mostly on EdgeRouters)
so what i found in noise.c line 445 message_decrypt:
chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
hash, NOISE_HASH_LEN,
0 /* Always zero for Noise_IK */, key))
Correct me if I’m mistaken, I’m not C programer nor cryptographer, I think this zero here is the Nonce. If that’s the case what security sacrifices and the chance for replay attacks are?
Would it be Ok if I also hardcode the Nonce to 0 in my implementation?
Thank you,
Hristo
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Nonce in out-of-order messages
2019-07-24 10:05 Nonce in out-of-order messages Hristo Georgiev
@ 2019-08-25 15:56 ` Jason A. Donenfeld
2019-09-01 8:10 ` Hristo Georgiev
0 siblings, 1 reply; 3+ messages in thread
From: Jason A. Donenfeld @ 2019-08-25 15:56 UTC (permalink / raw)
To: Hristo Georgiev; +Cc: WireGuard mailing list
On Sun, Aug 25, 2019 at 9:36 AM Hristo Georgiev <hristo.metal@gmail.com> wrote:
>
> Hello
> I’m working on file transfer protocol inspired by Noise and Wireguard over UDP with static keys so the handshake pattern is going to be Noise_IK_25519_ChaChaPoly_BLAKE2s or KK. In general i’m trying to follow NoiseSocket spec but adapted to UDP and i was wondering where to place the ‘nonce’ into packet to extend the protocol as described into p.11.4 in NoiseProtocol spec http://www.noiseprotocol.org/noise.html#out-of-order-transport-messages . So I had a look into WireGuard implementation (which I use a lot in multiple sites, mostly on EdgeRouters)
> so what i found in noise.c line 445 message_decrypt:
>
> chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
> hash, NOISE_HASH_LEN,
> 0 /* Always zero for Noise_IK */, key))
>
> Correct me if I’m mistaken, I’m not C programer nor cryptographer, I think this zero here is the Nonce. If that’s the case what security sacrifices and the chance for replay attacks are?
> Would it be Ok if I also hardcode the Nonce to 0 in my implementation?
This isn't the nonce used as part of the transport object, but rather
a single encryption/decryption that happens with a unique key as part
of the handshake. It being zero is a natural consequence of the
protocol flow.
Don't hardcode a zero nonce in transport messages.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Nonce in out-of-order messages
2019-08-25 15:56 ` Jason A. Donenfeld
@ 2019-09-01 8:10 ` Hristo Georgiev
0 siblings, 0 replies; 3+ messages in thread
From: Hristo Georgiev @ 2019-09-01 8:10 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
Thank you for the answer Jason, I appreciate your time and excellent work.
After deep dive I’ve found transport messages and RFC6479 replay detection implementation.
Cheers,
Hristo
> On 25 Aug 2019, at 18:56, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Sun, Aug 25, 2019 at 9:36 AM Hristo Georgiev <hristo.metal@gmail.com> wrote:
>>
>> Hello
>> I’m working on file transfer protocol inspired by Noise and Wireguard over UDP with static keys so the handshake pattern is going to be Noise_IK_25519_ChaChaPoly_BLAKE2s or KK. In general i’m trying to follow NoiseSocket spec but adapted to UDP and i was wondering where to place the ‘nonce’ into packet to extend the protocol as described into p.11.4 in NoiseProtocol spec http://www.noiseprotocol.org/noise.html#out-of-order-transport-messages . So I had a look into WireGuard implementation (which I use a lot in multiple sites, mostly on EdgeRouters)
>> so what i found in noise.c line 445 message_decrypt:
>>
>> chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
>> hash, NOISE_HASH_LEN,
>> 0 /* Always zero for Noise_IK */, key))
>>
>> Correct me if I’m mistaken, I’m not C programer nor cryptographer, I think this zero here is the Nonce. If that’s the case what security sacrifices and the chance for replay attacks are?
>> Would it be Ok if I also hardcode the Nonce to 0 in my implementation?
>
> This isn't the nonce used as part of the transport object, but rather
> a single encryption/decryption that happens with a unique key as part
> of the handshake. It being zero is a natural consequence of the
> protocol flow.
>
> Don't hardcode a zero nonce in transport messages.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-09-01 8:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-24 10:05 Nonce in out-of-order messages Hristo Georgiev
2019-08-25 15:56 ` Jason A. Donenfeld
2019-09-01 8:10 ` Hristo Georgiev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).