New RFC: 35/WAKU2-NOISE #496
Conversation
|
btw, if the PR is ready for review, please mark it as such. It is currently tagged as a draft. @s1fr0 |
content/docs/rfcs/35/README.md
Outdated
| @@ -49,10 +49,10 @@ The fields that are concatenated as part of the `payload` Waku2 field are: | |||
| - `protocol-id`: identifies the protocol in use (1 byte). | |||
| Supported values are: | |||
| - `0`: none or omitted; | |||
There was a problem hiding this comment.
Can we add the version for ChaChaPoly symmetric case only? So applications don't need to revert to previous version for this use case
| - *Authenticity*: The adversary should not be able to cause a Waku2 endpoint to accept messages coming from an endpoint different than their original senders. | ||
| - *Integrity*: The adversary should not be able to cause a Waku2 endpoint to accept data that has been tampered with. | ||
| - *Identity-hiding*: A passive adversary should not be able to link encrypted messages to their corresponding senders and recipients. | ||
|
|
There was a problem hiding this comment.
PR should also update Waku Message v2 with a short description and link to this spec
|
@s1fr0 Please let me know whenever your updates are ready for review |
|
@staheri14 ready for a second round of review. I addressed all comments. Thanks! |
content/docs/rfcs/35/README.md
Outdated
| contributors: | ||
| --- | ||
|
|
||
| This specification describes how Waku2 messages can be encrypted |
There was a problem hiding this comment.
| This specification describes how Waku2 messages can be encrypted | |
| This specification describes how Waku Messages can be encrypted |
Possibly with a link to tWaku message specs
|
|
||
| This specification describes how Waku2 messages can be encrypted | ||
| in order to achieve confidentiality, authenticity, and integrity | ||
| as well as some form of identity-hiding on communicating parties. |
There was a problem hiding this comment.
I'd mention forward secrecy here
There was a problem hiding this comment.
I mentioned it slightly later.
content/docs/rfcs/35/README.md
Outdated
|
|
||
| Specifically, it describes how encryption keys can be exchanged using the [Noise protocol Framework](http://www.noiseprotocol.org/noise.html) | ||
| to allow authenticated encryption/decryption in [10/WAKU2](/spec/10) with [14/WAKU-MESSAGE version 2](/spec/14/#version2). | ||
| This ultimately allows Waku2 users to instantiate end-to-end encrypted communication channels. |
There was a problem hiding this comment.
I'd rephase as applications built on top of Waku to provide this
content/docs/rfcs/35/README.md
Outdated
| This ultimately allows Waku2 users to instantiate end-to-end encrypted communication channels. | ||
|
|
||
|
|
||
| This specification is an addition to [26/WAKU-PAYLOAD](/spec/26). |
There was a problem hiding this comment.
...and its functionality provides a super set with modern primitives and stronger guarantees/more modular, such as x~
something like this
There was a problem hiding this comment.
Can also add a sentence pointings to 5 Status secure spec saying it subsumes it too for applications interested in strong conversation security guarantees
content/docs/rfcs/35/README.md
Outdated
| ## Design requirements | ||
|
|
||
| - *Confidentiality*: | ||
| The adversary should not be able to learn what data is being sent from one Waku2 endpoint to one or several other Waku2 endpoints. |
There was a problem hiding this comment.
"Waku2" is used throughout the text but doesn't refer to anything specific I think. Can probably replace with Waku if just want generic term here.
content/docs/rfcs/35/README.md
Outdated
|
|
||
| - *Confidentiality*: | ||
| The adversary should not be able to learn what data is being sent from one Waku2 endpoint to one or several other Waku2 endpoints. | ||
| In particular, forward secrecy should be provided on exchanged data. |
There was a problem hiding this comment.
would it make sense to pull out forward secrecy as a separate point?
content/docs/rfcs/35/README.md
Outdated
| We refer to [Noise protocol framework specifications](http://www.noiseprotocol.org/noise.html#processing-rules) for the full details on how parties shared secret key is derived from each exchanged message. | ||
|
|
||
| Four Noise handshakes are currently supported: `K1K1`, `XK1`, `XX`, `XXpsk0` | ||
| (their description can be found [here](https://forum.vac.dev/t/noise-handshakes-as-key-exchange-mechanism-for-waku2/130)). |
There was a problem hiding this comment.
I wouldn't refer to forum post in spec probably - either Noise spec or summarize in Appendix in this spec
| Four Noise handshakes are currently supported: `K1K1`, `XK1`, `XX`, `XXpsk0` | ||
| (their description can be found [here](https://forum.vac.dev/t/noise-handshakes-as-key-exchange-mechanism-for-waku2/130)). | ||
| These are instantiated combining the following cryptographic primitives: | ||
| - [`Curve25519`](http://www.noiseprotocol.org/noise.html#the-25519-dh-functions) for Diffie-Hellman key-exchanges (32 bytes curve coordinates); |
There was a problem hiding this comment.
Would it make sense to have a section with cryptographic primitives like this e.g. https://rfc.vac.dev/spec/26/#cryptographic-primitives ?
There was a problem hiding this comment.
Not sure. Right now the section is "Supported Cryptographic Protocols" and contains the details of both the primitives employed by Noise protocols and encryption primitives (since we separately support ChaChaPoly) within two separate subsection. If we have a new/separate section naming all primitives employed (noise + encryption), it would look like we can have a Curve25519 and/or SHA256 as separate primitives that can directly called/used to build waku message payloads, although, in fact, those are just the (only for now) combination of primitives used to instantiate supported Noise handshakes. If in the future add support to blake2, AES-GCM, Curve448, etc. then it may be better a separate subsection inside the current "Noise Protocols" subsection, so that users are aware of the different combinations supported for the tuple (curve, cipher, hash) (besides encryption primitives used as such, no matter the key exchange protocol).
content/docs/rfcs/14/README.md
Outdated
| @@ -69,6 +69,13 @@ This provides for asymmetric and symmetric encryption. | |||
| Key agreement is out of band. | |||
| It also provides an encrypted signature and padding for some form of unlinkability. | |||
|
|
|||
| ### Version 2 | |||
|
|
|||
| This indicates that payloads MUST be encoded using [35/WAKU-NOISE envelope data format spec](/spec/35). | |||
There was a problem hiding this comment.
| This indicates that payloads MUST be encoded using [35/WAKU-NOISE envelope data format spec](/spec/35). | |
| This indicates that payloads MUST be encoded using [35/WAKU-NOISE](/spec/35). |
|
Addressed new comments |
| slug: 35 | ||
| title: 35/WAKU2-NOISE | ||
| name: Noise Protocols for Waku Payload Encryption | ||
| status: raw |
There was a problem hiding this comment.
| status: raw | |
| status: raw | |
| tags: waku-core-protocol |
content/docs/rfcs/35/README.md
Outdated
|
|
||
| Specifically, it adds support to the [`ChaChaPoly`](https://www.ietf.org/rfc/rfc7539.txt) cipher for symmetric authenticated encryption. | ||
| It further describes how the [Noise Protocol Framework](http://www.noiseprotocol.org/noise.html) can be used to exchange cryptographic keys and encrypt/decrypt messages | ||
| in a way that that the latter are authenticated and protected by *strong forward secrecy*. |
There was a problem hiding this comment.
| in a way that that the latter are authenticated and protected by *strong forward secrecy*. | |
| in a way that the latter are authenticated and protected by *strong forward secrecy*. |
content/docs/rfcs/35/README.md
Outdated
|
|
||
|
|
||
| This ultimately allows Waku applications to instantiate end-to-end encrypted communication channels with strong conversational security guarantees, | ||
| similarly as done by [5/SECURE-TRANSPORT](https://specs.status.im/spec/5) but in a more modular way, |
There was a problem hiding this comment.
| similarly as done by [5/SECURE-TRANSPORT](https://specs.status.im/spec/5) but in a more modular way, | |
| as similarly done by [5/SECURE-TRANSPORT](https://specs.status.im/spec/5) but in a more modular way, |
content/docs/rfcs/35/README.md
Outdated
| even in the case he has access to communicating parties' long-term private keys (during or after their communication). | ||
| - *Authenticity*: the adversary should not be able to cause a Waku endpoint to accept messages coming from an endpoint different than their original senders. | ||
| - *Integrity*: the adversary should not be able to cause a Waku endpoint to accept data that has been tampered with. | ||
| - *Identity-hiding*: a passive adversary should not be able to link encrypted messages to their corresponding senders and recipients. |
There was a problem hiding this comment.
I am not sure this design requirements can fully be covered without providing guildelines on the content topic.
I agree that the content topic handling is out of this spec's scope, but I think we should highlight that poor content topic handling can compromising this requirement.
There was a problem hiding this comment.
Now better addressed in 4076b1e
content/docs/rfcs/35/README.md
Outdated
| - `transport-message-len-len`: the length in bytes of `transport-message-len` (1 byte); | ||
| - `transport-message-len`: the length in bytes of `transport-message` (`transport-message-len-len` bytes); | ||
| - `transport-message`: the transport message (`transport-message-len` bytes); | ||
| - `transport-message-ad`: the symmetric encryption authentication data for `transport-message` (16 bytes). |
There was a problem hiding this comment.
| - `transport-message-ad`: the symmetric encryption authentication data for `transport-message` (16 bytes). | |
| - `transport-message-auth`: the symmetric encryption authentication data for `transport-message` (16 bytes). |
nitpick: I think auth would be easier to understand it stores the auth data than ad.
content/docs/rfcs/35/README.md
Outdated
| ; contains the size of handshake-message | ||
| handshake-message-len = 1OCTET | ||
|
|
||
| ; containes one or more Diffie-Hellman public keys |
There was a problem hiding this comment.
| ; containes one or more Diffie-Hellman public keys | |
| ; contains one or more Diffie-Hellman public keys |
| - `transport-message` contains the Noise transport message; | ||
| - `10`,`11`,`12`,`13`: payload encodes a supported Noise handshake message. | ||
| - `transport-message` contains the Noise transport message; | ||
| - `30`: payload encapsulate a `ChaChaPoly` ciphertext `ct`. |
There was a problem hiding this comment.
| - `30`: payload encapsulate a `ChaChaPoly` ciphertext `ct`. | |
| - `30`: payload encapsulate a `ChaChaPoly` ciphertext `cipher`. |
IMHO, cipher is clearer than ct.
There was a problem hiding this comment.
Not sure, cipher sounds more related to the cipher itself. ciphertext is definitely better although quite long. ct is common in crypto, but probably not clear enough here. I don't have a strong opinion on this though
content/docs/rfcs/35/README.md
Outdated
| to a multiple of the underlying symmetric cipher block size | ||
| (16 bytes for `ChaChaPoly`). | ||
|
|
||
| It is therefore recommended to pad transport messages to a multiple of 256 bytes. |
There was a problem hiding this comment.
So transport-message should be right padded, correct?
There was a problem hiding this comment.
Yes, this allows more efficient decryption, i.e. you may stop decrypting blocks when you observe a padding start (which might be part of the plaintext though). In the left pad, you need to decrypt everything (pad+message) to get the last byte of message.
There was a problem hiding this comment.
Clarified in in b587e8b
content/docs/rfcs/35/README.md
Outdated
| parties SHOULD set `protocol-id` to `0` | ||
| to reduce metadata leakages and indicate that the message is an *after-handshake* message. | ||
|
|
||
| It is recommended that each party attaches an (unencrypted) ephemeral key in `handshake-message` to every message sent. |
There was a problem hiding this comment.
We usually upper case the RFC-2119 terminology: https://rfc.vac.dev/spec/1/#language
nitpick: Active voice is usually easier to read than passive voice (if my grammar is correct)
| It is recommended that each party attaches an (unencrypted) ephemeral key in `handshake-message` to every message sent. | |
| Each party SHOULD attach an (unencrypted) ephemeral key in `handshake-message` to every message sent. |
| ## Backward Support for Symmetric/Asymmetric Encryption | ||
|
|
||
| It is possible to have backward compatibility to symmetric/asymmetric encryption primitives from [26/WAKU-PAYLOAD](/spec/26), | ||
| effectively encapsulating payload encryption [14/WAKU-MESSAGE version 1](/spec/14/#version1) in [version 2](/spec/14/#version2). |
There was a problem hiding this comment.
| effectively encapsulating payload encryption [14/WAKU-MESSAGE version 1](/spec/14/#version1) in [version 2](/spec/14/#version2). | |
| effectively encapsulating payload encryption [14/WAKU-MESSAGE version 1](/spec/14/#version1) in [version 2](/spec/14/#version2). |
|
|
||
| In all supported Noise protocols, | ||
| parties' static keys are transmitted encrypted, | ||
| while ephemeral keys MAY be encrypted after a handshake is complete. |
There was a problem hiding this comment.
If this is the case i.e., both ephemeral pks and static pks can be encrypted, how would you distinguish between these two in the current serialization pattern?
btw, which handshake pattern contains an encrypted ephemeral key? with a quick check I could not find. found my answer already :)
There was a problem hiding this comment.
During an handshake, you don't need to distinguish, since the handshake pattern is pre-agreed (so you know the sequence of ephemeral-static encrypted/unencrypted keys). After handshake you'll only have ephemeral keys exchanged to refresh with new randomness encryption keys. The distinction between encrypted/unencrypted can be done simply looking at the authentication data.
There was a problem hiding this comment.
If you know the order of pks by knowing the handshake pattern, then why do we need a flag to indicate encryption? isn't it also clear from the pattern?
There was a problem hiding this comment.
Because in a handshake message you may have a concatenation of multiple public keys. Without a flag you may confuse authentication data with the next public key or waste bytes for an all-zero-empty authentication data in case you keep sizes fixed for all fields.
There was a problem hiding this comment.
you may confuse authentication data with the next public key
Can you please give an example of such a situation? not numerically just symbolically
There was a problem hiding this comment.
It is not impossible, only less structured.
For example, without flags
handskake-message = pk1 pk1-auth pk2 pk3
You read the first 32 bytes and you get pk1. You read next 16 bytes, if authenticating pk1, decrypt pk1. Otherwise continue reading next 16 bytes and store the last 32 bytes read as pk2, etc.
Probably hard to do, but you may generate a public key pk2 with MSB set to authentication data pk1-auth and confuse the implementation, although the handshake will simply fail.
There was a problem hiding this comment.
Thanks for the explanation, isn't the presence of pk1_auth dictated by the handshake pattern? i.e., if there has been a shared key established prior to pk1, then an encrypted pk1 is expected? which means the next item in the handshake message should be pk1-auth?
There was a problem hiding this comment.
If this comment of mine also requires further discussion, let's issue it up and resume our conversion there.
There was a problem hiding this comment.
I would say both yes and no. The handshake is pre-agreed, so everyone knows what to expect. In after-handshake, although you may exchange only ephemeral keys for which there is no need to use encryption, you may encrypt them as well (for example to authenticate the ephemeral key itself, but again encryption will fail if you're cheating). I think the flag may be useful in the future for Noise pipes, i.e. while executing multiple handshakes in a row: you can indeed upgrade the whole handshake to a fully encrypted version, although you can then use a psk version of the handshake then.
It is also true that besides handshakes, I don't expect to exchange more than one public key during normal communication, so checking the length of handshake-message would suffice to understand if the public key is encrypted or not, and we can in fact remove the flag.
There was a problem hiding this comment.
Thanks! Minor comments. Seems good enough to me as a raw spec :)
For other issues in PR, I defer to Sanaz and other reviewers here in terms of what should be addressed in this PR.
I also expect some tweaks to happen as this moves closer to draft, so one option is also to pull out some of the outstanding options into a separate 'enhancement/fixup' issue.
content/docs/rfcs/14/README.md
Outdated
| This indicates that payloads MUST be encoded using [35/WAKU-NOISE](/spec/35). | ||
|
|
||
| This provides key-exchanges and encryption based on [Noise Protocol](http://www.noiseprotocol.org/noise.html). | ||
| It also provides `ChaChaPoly` symmetric encryption. |
There was a problem hiding this comment.
In version 1 paragraph we say:
This provides for asymmetric and symmetric encryption. Key agreement is out of band. It also provides an encrypted signature and padding for some form of unlinkability.
Perhaps we can say high some similar high level stuff? So people who just glance at RFC 14 can get rough idea of why they want to use version 2 over version 1.
There was a problem hiding this comment.
Addressed in 505e405
Shall we mention forward secrecy and unlinkability as well, or we just keep it very general as it is now?
|
@s1fr0 What is left on this PR to get merged? |
|
@staheri14 It is ready, just some minor pending discussions. But I will merge and eventually later PR minor changes. |
|
Should I change the left menu to allow users to find the spec? Can I directly commit to master or better to have a new PR? |
Right, that should be added to the menu, please create a new PR. @s1fr0 |
* master: RFC16: add version call (#505) fix(noise): update RFC to implementation (#508) fixup: 37/WAKU2-NOISE fix images paths (#506) New RFC: 37/WAKU2-NOISE-SESSIONS (#504) 36/WAKU2-BINDINGS-API (#501) docs(16/WAKU2-RPC): add ENR to waku info (#502) Adding 35/WAKU2-NOISE to menu (#500) add RFC33 to index (#499) feat: 32/RLN raw spec New RFC: 35/WAKU2-NOISE (#496) Update on the rln registration figure to match the current spec (#497) 33/WAKU-DISCV5: Add first raw version (#487) Add pubsubTopic field to index (#492) Fix markdown links (#493) Categorize 22 & 31 (#490) Changed PB Timestamp index to 10 (#491) 13/14/16/21: Change in timestamp format (#483) add: RFC31 copyright statement (#489) 17/WAKU-RLN-RELAY: Revise spec for its draft version (#484)
* master: RFC16: add version call (#505) fix(noise): update RFC to implementation (#508) fixup: 37/WAKU2-NOISE fix images paths (#506) New RFC: 37/WAKU2-NOISE-SESSIONS (#504) 36/WAKU2-BINDINGS-API (#501) docs(16/WAKU2-RPC): add ENR to waku info (#502) Adding 35/WAKU2-NOISE to menu (#500) add RFC33 to index (#499) feat: 32/RLN raw spec New RFC: 35/WAKU2-NOISE (#496) Update on the rln registration figure to match the current spec (#497) 33/WAKU-DISCV5: Add first raw version (#487) Add pubsubTopic field to index (#492) Fix markdown links (#493) Categorize 22 & 31 (#490) Changed PB Timestamp index to 10 (#491) 13/14/16/21: Change in timestamp format (#483) add: RFC31 copyright statement (#489) 17/WAKU-RLN-RELAY: Revise spec for its draft version (#484)
s1fr0
added
track:rfc-process
This PR addresses the first task of #494.