[ANN] An implementation of the Noise Protocol Framework

announce

#1

Hello,

I am announcing the first release of noise, an implementation of the Noise Protocol Framework.

It contains building blocks to implement a secure protocol with confidentiality and authentication on top of modern cryptographic primitives. This protocol framework is used by WhatsApp, WireGuard, and Lightning.

This is still a very early version:

  • it contains some custom implementations of cryptographic primitives
  • the interface is unstable
  • most applications need a higher level protocol like NoiseSocket, which is comparable to TLS

Next on my roadmap is implementing a WireGuard client and server that can be used in Mirage.

If you are interested in implementing a protocol that uses Noise, please get in touch!


#2

This sounds quite interesting, and I’m glad to hear of plans for a VPN client for Mirage (hopefully that could also be of interest to the Qubes people).

The official Noise Protocol page has a list of languages that have implementations of the framework. Have you gotten in touch to add your project (and thus OCaml) to the list? I know you feel it’s a bit preliminary, but the visibility cannot hurt your project or the language :slight_smile:

Minor remark:

some primitives are implemented in an ad hoc manner.

I don’t know what you mean by “in an ad hoc manner” here, and given that this sort of high-level “here are the current limitations” information is important to help user make choices, I think you could elaborate a bit more.

In fact I think that you could merge the “What it’s not” content into the “What is this?” section (it would fit well between the two existing paragraphs), and have a second “Current limitations” section with “Not ready for primetime.” and the explanations in the following paragraph, slightly expanded.


#3

I don’t know what you mean by “in an ad hoc manner” here, and given that this sort of high-level “here are the current limitations” information is important to help user make choices, I think you could elaborate a bit more.

Sure!

My goal with that package is to not have any crypto primitive in it. At the moment, there is:

  • HKDF, to be replaced by hkdf. At the moment there’s a bit of an impedance mismatch between the interfaces, so I’ll have to adapt hkdf as well. That’s not too big of a deal since HKDF is a thin layer on top of HMAC.
  • for BLAKE2, HMAC is reimplemented on top of the hash functions because it was not properly exposed in digestif. This is now fixed in digestif and I’ll be able to remove that implementation with a dependency bump.
  • I couldn’t find a Chacha20 implementation, so I wrote one in OCaml. Since I was told about ocaml-chacha (though unreleased). The best course of action is to integrate either one of these into nocrypto (maybe both through library variants) and remove it from the noise source tree.
  • Poly1305 is a binding to tweetnacl. There’s ocaml-poly1305 which is also a C binding. Once again we can probably work to integrate that into nocrypto.
  • the Chacha/Poly AEAD construction is glued by hand here. There’s not much going on so it’s fairly auditable, but I’d rather have this out of noise itself.

So, these are not problems that make noise unusable, but these “new” crypto primitives will require some care before they can considered for production. The nice part about integrating these into nocrypto is that we’ll be able to use them for other modern cryptographic protocols, such as TLS 1.3.


#4

Thanks! I meant “elaborate in the README” but this is an excellent first step. Two remarks:

  • The F*/HACL people have verified implementations of some of these crypto primitives ( https://github.com/project-everest/hacl-star ), and I think they can extract to either C or OCaml code. You may be able to depend on some of their libraries, or at least reuse some of their glue. (I’m not sure who to contact to get more information, I mostly learned about this work from the PhD defense of https://github.com/jkzinzindohoue ).

  • I think the Tezos project also had a tweetnacl binding (which you could reuse), but they switched to the HACL codebase now.


#5

We try to find a polished way to distribute as a OPAM package a binding to extracted C code of the HACL star to be able to depend on it properly. So it’s about a clean distribution process to the ocaml community instead bindings by hands in some discrets parts of some projects :slight_smile:.