[Cryptography] At what point should people not use TLS?

Trevor Perrin trevp at trevp.net
Mon Apr 11 11:53:52 EDT 2016 

Hi,

If it helps, there's a detailed spec for Noise (HTML and PDF) here:

https://noiseprotocol.org

I'll touch on some technical differences between Noise Pipes and TLS.
Let's look at both "full" and "abbreviated" handshakes:


Full handshake
---------------------
Mutually-authenticated TLS "by the book" (RFC 5246) sends the client's
identity in the clear, and takes 2 round-trips before the client can
send encrypted data.

Noise encrypts the client's identity, and takes 1 round-trip.

You could twist TLS into something better, but it's not easy:

To do better client-auth in TLS you'd have to wait for something like
"Token Binding" (see the TOKBIND working group).  To do a 1-RTT
handshake in TLS the client would have to do the "False Start" trick,
where the client deviates from the spec by sending ciphertext before
receiving the server's Finished message.  A number of browsers have
become comfortable with False Start, but the client has to be very
careful.  It stills feels risky to me.


Abbreviated handshake
---------------------------------
TLS session resumption is based on caching the original session's
master secret.  So forward secrecy and resistance to "key-compromise
impersonation" is reduced: if the cached master secret is stolen from
the client or server, older sessions can be decrypted and the server
can be impersonated.

Noise has an abbreviated handshake which allows encryption in the
first round-trip, including the client's first message (unlike TLS).
But after the first round-trip, a fresh handshake has been performed,
so Noise ciphertext after the first round-trip has the full security
of a fresh session.


Some points beyond the handshake -

Noise was designed to take advantage of new crypto primitives like
Curve25519 DH, which haven't made their way into TLS libraries.  Noise
is a DH-only handshake with no signatures, meaning simpler crypto and
small messages.

Noise implementations can be very simple.  A Noise handshake has a
fixed sequence of messages with fixed structure, and a fixed sequence
of crypto operations.  Noise doesn't enlarge your attack surface with
multiple complex parsers (ASN.1 and TLS presentation language), a
complicated state machine, or twenty years of extensions and legacy
crypto.

The ongoing redesign of TLS (1.3) aims to address some of these
issues.  But it's unclear what its final shape will be, or when it
will be fielded.


Trevor

More information about the cryptography mailing list