noise: introduce an extension registry #453
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,7 @@ | |
|
|
||
| | Lifecycle Stage | Maturity | Status | Latest Revision | | ||
| |-----------------|----------------|--------|-----------------| | ||
| | 3A | Recommendation | Active | r4, 2022-09-22 | | ||
|
|
||
| Authors: [@yusefnapora] | ||
|
|
||
|
|
@@ -201,28 +201,31 @@ messages. We leverage this construct to transmit: | |
|
|
||
| 1. the libp2p identity key along with a signature, to authenticate each party to | ||
| the other. | ||
| 2. extensions used by the libp2p stack. | ||
|
|
||
| The extensions are inserted into the first message of the handshake pattern | ||
| **that guarantees secrecy**. Specifically, this means that the initiator MUST NOT | ||
| send extensions in their first message. | ||
| The initiator sends its extensions in message 3 (closing message), and the | ||
| responder sends theirs in message 2 (their only message). It should be stressed, | ||
| that while the second message of the handshake pattern has forward secrecy, | ||
| the sender has not authenticated the responder yet, so this payload might be | ||
| sent to any party, including an active attacker. | ||
|
Contributor
There was a problem hiding this comment. As a security precaution is it helpful to specify that the "early data" should not be processed before the handshake is fully finished? thus gives us more confidence on the data, what are your thoughts on this?
Contributor
Author
There was a problem hiding this comment. In WebTransport, we process it immediately, and fail the handshake if the certificate hash doesn't match.
Contributor
There was a problem hiding this comment. Great, document that is a good point. |
||
|
|
||
| When decrypted, the payload contains a serialized [protobuf][protobuf] | ||
| `NoiseHandshakePayload` message with the following schema: | ||
|
|
||
| ``` protobuf | ||
| syntax = "proto2"; | ||
|
|
||
| message NoiseExtensions { | ||
julian88110 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| repeated bytes webtransport_certhashes = 1; | ||
| } | ||
|
|
||
| message NoiseHandshakePayload { | ||
| optional bytes identity_key = 1; | ||
| optional bytes identity_sig = 2; | ||
|
Member
There was a problem hiding this comment. For the record, rust-libp2p does not make use of
Contributor
Author
There was a problem hiding this comment. go-libp2p doesn't, and js-libp2p doesn't either (as far as I know).
Member
There was a problem hiding this comment. What about nim-libp2p cpp-libp2p jvm-libp2p @marten-seemann?
Contributor
Author
There was a problem hiding this comment. I’m not familiar with their code bases. This PR was open for more than a week, that should’ve been plenty of time to chime in. Also note that this is backwards-compatible change since we didn’t reuse field 3 in the protobuf. |
||
| optional NoiseExtensions extensions = 4; | ||
| } | ||
| ``` | ||
|
|
||
|
|
@@ -235,9 +238,8 @@ spec][peer-id-spec-signing-rules]. The data to be signed is the UTF-8 string | |
| `noise-libp2p-static-key:`, followed by the Noise static public key, encoded | ||
| according to the rules defined in [section 5 of RFC 7748][rfc-7748-sec-5]. | ||
|
|
||
| The `extensions` field contains Noise extensions and is described in | ||
| [Noise Extensions](#noise-extensions). | ||
|
|
||
| Upon receiving the handshake payload, peers MUST decode the public key from the | ||
| `identity_key` field into a usable form. The key MUST then be used to validate | ||
|
|
@@ -283,6 +285,23 @@ internal libp2p data. | |
|
|
||
| The XX handshake MUST be supported by noise-libp2p implementations. | ||
|
|
||
| ### Noise Extensions | ||
|
|
||
| Since the Noise handshake pattern itself doesn't define any extensibility | ||
| mechanism, this specification defines an extension registry, modeled after | ||
| [RFC 6066](https://www.rfc-editor.org/rfc/rfc6066) (for TLS) and | ||
| [RFC 9000](https://datatracker.ietf.org/doc/html/rfc9000#section-19.21) | ||
| (for QUIC). | ||
|
|
||
| Note that this document only defines the `NoiseExtensions` code points, and | ||
| leaves it up to the protocol using that code point to define semantics | ||
| associated with these code point. | ||
|
|
||
| Code points above 1024 MAY be used for experimentation. Code points up to | ||
| this value MUST be registered in this document before deployment. | ||
|
Comment on lines
+300
to
+301
Member
There was a problem hiding this comment. As far as I understand we tried to use multicodec for all magic numbers in the libp2p ecosystem thus far. If I understand this proposal correctly, it runs somewhat against this convention. I am not opposed to that, I just think it is worth pointing out in the specification. E.g. a short paragraph of why we are not using multicodec for this. What do you think @marten-seemann?
Contributor
Author
There was a problem hiding this comment. Good point. I'm not super familiar with the design philosophy behind multicoded. @Stebalien and @lidel, could you help us out here? |
||
|
|
||
|
|
||
|
|
||
| ## Cryptographic Primitives | ||
|
|
||
| The Noise framework allows protocol designers to choose from a small set of | ||
|
|
@@ -433,6 +452,14 @@ unsupported types like RSA. | |
| - Removed Noise Pipes and related handshake patterns | ||
| - Removed padding within encrypted payloads | ||
|
|
||
| ### r3 - 2022-09-20 | ||
|
|
||
| - Change Protobuf definition to proto2 (due to the layout of the protobuf used, this is backwards-compatible change) | ||
|
|
||
| ### r4 - 2022-09-22 | ||
|
|
||
| - Add Noise extension registry | ||
|
|
||
|
|
||
| [peer-id-spec]: ../peer-ids/peer-ids.md | ||
| [peer-id-spec-signing-rules]: ../peer-ids/peer-ids.md#how-keys-are-encoded-and-messages-signed | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.