{"guid":"7c09baef-9120-5eb2-866b-b33ed4da207c","title":"Adopting the Noise Key Exchange in Tox","subtitle":null,"slug":"rc3-709912-adopting_the_noise_key_exchange_in_tox","link":"https://pretalx.rc3.studio/rc3-channels-2020/talk/PWNJYW/","description":"Tox [0] is a free and open source peer-to-peer instant messaging protocol and implementation, that aims to provide secure messaging. It’s intended as an end-to-end encrypted (E2EE) and distributed Skype replacement. Tox’ cryptography is based on the NaCl library from Daniel J. Bernstein [1]. The cryptographic primitives for the key exchange (X25519), authentication (Poly1305) and symmetric encryption (XSalsa20) are state of the art peer-reviewed algorithms. \n\nUnfortunately Tox’ authenticated key exchange (AKE) during Tox’ cryptographic handshake is a \"home-brewed\" cryptographic protocol (remember: do not roll your own crypto!) and is known to be vulnerable to key compromise impersonation (KCI) attacks [2]. In this talk we will show why this vulnerability is challenging to exploit in practice. However, we will also present a fix to this vulnerability by designing and implementing a new cryptographic Tox handshake with formally-verified security properties.\n\nKCI is a vulnerability of AKE protocols, which in this case could enable an attacker, who compromised the static long-term private X25519 [3] key of a Tox user Alice, to impersonate any other Tox user (with certain assumptions) to Alice (\"reverse impersonation\"). Furthermore, this would enable this attacker to perform a Man-in-the-Middle (MitM) attack and therefore tampering of exchanged messages. X25519 key pairs, that are necessary for the distributed hash table (DHT), make an actual KCI-attack more complex as suggested in the initial vulnerability report by Jason A. Donenfeld. \n\nThe Noise Protocol Framework [4] from Trevor Perrin (co-author of Signal [5]) was used to design a new KCI-resistant Tox’ handshake. The Noise Protocol Framework is intended to use by protocol designers to create secure channel protocols based on Diffie-Hellman (DH) key agreement. Noise provides different handshake patterns for different use cases. These patterns define a sequence of DH operations to calculate a shared symmetric session key. The security properties of these patterns are formally verified. These security properties can include forward secrecy, identity hiding and most notably KCI-resistance. A handshake pattern is instantiated by DH functions, cipher functions and hash functions to give a concrete Noise protocol. Such Noise protocols are already used in some applications, like WireGuard VPN [6]. The Noise protocol used in Tox is Noise_IK_25519_ChaChaPoly_SHA512. \n\nThe Noise-C library from Rhys Weatherley [7] was used to implement the new AKE in c-toxcore [8]. The implementation is currently in proof-of-concept state and will be further improved. In future work, instead of using the Noise-C library, which supports most of Noise’ handshake patterns and all cryptographic primitives, only the Noise protocol used in the Tox handshake will be implemented in c-toxcore. This will remove Noise-C as a dependency (i.e the only other dependency is NaCl/libsodium), reduce source lines of code and therefore reduce the attack surface. Noise also provides functions to further improve security, like session re-keying, which could also be adopted in Tox. \n\nTerminology in context of Tox: \n\n* Tox is the name of the protocol in general \n* The implementation of Tox is toxcore - a network library  (see [8])\n* The clients (using toxcore) have specific names (e.g. qTox [9]) \n\n____ \n\n* Full Master Thesis: https://pub.fh-campuswien.ac.at/obvfcwhsacc/content/titleinfo/5430137\n* [0] https://tox.chat/ \n* [1] https://nacl.cr.yp.to/ \n* [2] https://github.com/TokTok/c-toxcore/issues/426 \n* [3] https://ed25519.cr.yp.to/ \n* [4] https://noiseprotocol.org/ \n* [5] https://signal.org/docs/ \n* [6] https://www.wireguard.com/ \n* [7] https://rweather.github.io/noise-c/index.html \n* [8] https://github.com/TokTok/c-toxcore \n* [9] https://github.com/qTox/qTox","original_language":"eng","persons":["Tobias \"Tobi\" Buchberger"],"tags":["rc3-franconiannet","84","2020","franconian.net talks","franconian.net","backspace"],"view_count":288,"promoted":false,"date":"2020-12-27T19:55:00.000+01:00","release_date":"2021-02-04T00:00:00.000+01:00","updated_at":"2026-03-01T11:45:06.224+01:00","length":2216,"duration":2216,"thumb_url":"https://static.media.ccc.de/media/events/rc3/84-7c09baef-9120-5eb2-866b-b33ed4da207c.jpg","poster_url":"https://static.media.ccc.de/media/events/rc3/84-7c09baef-9120-5eb2-866b-b33ed4da207c_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/rc3/84-7c09baef-9120-5eb2-866b-b33ed4da207c.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/rc3/84-7c09baef-9120-5eb2-866b-b33ed4da207c.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/rc3-709912-adopting_the_noise_key_exchange_in_tox","url":"https://api.media.ccc.de/public/events/7c09baef-9120-5eb2-866b-b33ed4da207c","conference_title":"Remote Chaos Experience","conference_url":"https://api.media.ccc.de/public/conferences/rc3","related":[],"recordings":[{"size":19,"length":2216,"mime_type":"audio/opus","language":"eng","filename":"rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2021-02-04T22:21:03.766+01:00","recording_url":"https://cdn.media.ccc.de/events/rc3/opus/rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_opus.opus","url":"https://api.media.ccc.de/public/recordings/51821","event_url":"https://api.media.ccc.de/public/events/7c09baef-9120-5eb2-866b-b33ed4da207c","conference_url":"https://api.media.ccc.de/public/conferences/rc3"},{"size":192,"length":2216,"mime_type":"video/webm","language":"eng","filename":"rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2021-02-04T22:19:42.824+01:00","recording_url":"https://cdn.media.ccc.de/events/rc3/webm-hd/rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/51820","event_url":"https://api.media.ccc.de/public/events/7c09baef-9120-5eb2-866b-b33ed4da207c","conference_url":"https://api.media.ccc.de/public/conferences/rc3"},{"size":55,"length":2216,"mime_type":"video/mp4","language":"eng","filename":"rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2021-02-04T22:19:05.588+01:00","recording_url":"https://cdn.media.ccc.de/events/rc3/h264-sd/rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_sd.mp4","url":"https://api.media.ccc.de/public/recordings/51819","event_url":"https://api.media.ccc.de/public/events/7c09baef-9120-5eb2-866b-b33ed4da207c","conference_url":"https://api.media.ccc.de/public/conferences/rc3"},{"size":33,"length":2216,"mime_type":"audio/mpeg","language":"eng","filename":"rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2021-02-04T22:16:57.885+01:00","recording_url":"https://cdn.media.ccc.de/events/rc3/mp3/rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/51818","event_url":"https://api.media.ccc.de/public/events/7c09baef-9120-5eb2-866b-b33ed4da207c","conference_url":"https://api.media.ccc.de/public/conferences/rc3"},{"size":75,"length":2216,"mime_type":"video/webm","language":"eng","filename":"rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2021-02-04T22:13:37.342+01:00","recording_url":"https://cdn.media.ccc.de/events/rc3/webm-sd/rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/51816","event_url":"https://api.media.ccc.de/public/events/7c09baef-9120-5eb2-866b-b33ed4da207c","conference_url":"https://api.media.ccc.de/public/conferences/rc3"},{"size":122,"length":2216,"mime_type":"video/mp4","language":"eng","filename":"rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2021-02-04T21:50:15.032+01:00","recording_url":"https://cdn.media.ccc.de/events/rc3/h264-hd/rc3-franconiannet-84-eng-Adopting_the_Noise_Key_Exchange_in_Tox_hd.mp4","url":"https://api.media.ccc.de/public/recordings/51806","event_url":"https://api.media.ccc.de/public/events/7c09baef-9120-5eb2-866b-b33ed4da207c","conference_url":"https://api.media.ccc.de/public/conferences/rc3"}]}