You are looking at a specific version 20190503:121535 of this paper. See the latest version.

Paper 2019/436

Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework

Benjamin Dowling and Paul Rösler and Jörg Schwenk

Abstract

The Noise protocol framework is a suite of channel establishment protocols, of which each individual protocol ensures various security properties of the transmitted messages, but keeps specification, implementation, and configuration relatively simple. Implementations of the Noise protocols are themselves, due to the employed primitives, very performant. Thus, despite its relative youth, Noise is already used by large-scale deployed applications such as WhatsApp and Slack. Though the specification describes and claims the security properties of the protocol patterns very precisely, there has been no computational proof yet. We close this gap. Noise uses only a limited number of cryptographic primitives which makes it an ideal candidate for reduction-based security proofs. Due to its patterns' characteristics as channel establishment protocols, and the usage of established keys within the handshake, the authenticated and confidential channel establishment (ACCE) model (Jager et al. CRYPTO 2012) seems perfectly fit for an analysis of Noise. However, the ACCE model strictly divides protocols into two non-overlapping phases: the pre-accept phase (i.e., the channel establishment) and post-accept phase (i.e., the channel). Using the example of Noise, we show that this separation originates from the historic background of the TLS 1.2 proof, rather than it depicting the natural core of a channel establishment protocol. Similarly to TLS 1.3, Noise allows the transmission of encrypted messages as soon as a key is established (for instance, before any authentication between parties has taken place). By proposing a generalization of the original ACCE model, we catch security properties of these earlier messages precisely. As our generalized model is aimed to capture security of multiple different channel establishment protocols, we then add flexibility to the security definition, comparable to the multi-stage key exchange model (Fischlin and Günther CCS 2014). We furthermore provide a broad discussion on the relations among and dimensions of the considered security properties as this plays a crucial role when defining security flexibly. Based on this, we observe that each message sent during the channel establishment can add new security properties, while inheriting those established in previous stages. We give full security proofs for eight of the 15 basic Noise patterns to illustrate the flexibility and validity of this approach.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
channel establishmentACCEmutli-stageNoise framework
Contact author(s)
paul roesler @ rub de
benjamin dowling @ rhul ac uk
History
2020-02-07: revised
2019-05-03: received
See all versions
Short URL
https://ia.cr/2019/436
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.