Remove Noise protocol references from wiki docs and tests
Delete 8 Noise-specific documentation pages (noise-xx.md,
transport-keys.md, adr-001/003/006, framing-codec.md) and update
~30 remaining wiki pages to reflect QUIC+TLS as the sole transport.
Remove obsolete Noise-based integration tests (auth_service.rs,
mls_group.rs). Code-side Noise removal was done in f334ed3.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -17,12 +17,12 @@ payloads. Cannot modify traffic.
|
||||
- Connection metadata: which IP addresses connect to the server and when.
|
||||
- Message timing and sizes: observable patterns (e.g., message frequency,
|
||||
payload lengths) that could reveal communication patterns.
|
||||
- Encrypted payloads: TLS 1.3 ciphertext containing Noise ciphertext containing
|
||||
MLS ciphertext. Three layers of encryption must be broken to access content.
|
||||
- Encrypted payloads: TLS 1.3 ciphertext containing MLS ciphertext. Both layers
|
||||
of encryption must be broken to access content.
|
||||
|
||||
**What they cannot learn:**
|
||||
|
||||
- Message content: protected by MLS encryption inside Noise inside TLS.
|
||||
- Message content: protected by MLS encryption inside TLS.
|
||||
- Group membership details: MLS Commits are encrypted.
|
||||
- Which specific recipient a message is destined for (from the network
|
||||
perspective, all messages go to the server).
|
||||
@@ -51,7 +51,7 @@ state-level adversary).
|
||||
|
||||
**What they cannot do (assuming no cert MITM):**
|
||||
|
||||
- Decrypt TLS/Noise traffic: both use authenticated ephemeral key exchange.
|
||||
- Decrypt TLS traffic: TLS 1.3 uses authenticated ephemeral key exchange.
|
||||
- Forge MLS messages: MLS Commits and application messages are signed by the
|
||||
sender's Ed25519 identity key. The attacker does not possess any member's
|
||||
signing key.
|
||||
@@ -145,8 +145,8 @@ The healing window is the time between the compromise and the next Commit. See
|
||||
| Message integrity | MLS signing (Ed25519) | Forgery by server or network |
|
||||
| Group membership changes | MLS Commits (signed, authenticated) | Unauthorized modification |
|
||||
| Key exchange material | Single-use HPKE init keys | Replay, forward compromise |
|
||||
| Transport confidentiality | TLS 1.3 + Noise\_XX (double encryption) | Passive eavesdropper |
|
||||
| Transport integrity | TLS 1.3 AEAD + Noise AEAD | Active network attacker |
|
||||
| Transport confidentiality | TLS 1.3 (QUIC) | Passive eavesdropper |
|
||||
| Transport integrity | TLS 1.3 AEAD | Active network attacker |
|
||||
| Past messages | Forward secrecy (epoch key deletion) | Future client compromise |
|
||||
| Future messages | Post-compromise security (ratchet tree update) | Past client compromise |
|
||||
|
||||
@@ -223,16 +223,16 @@ log of public key bindings.
|
||||
### Classical-Only Transport
|
||||
|
||||
As discussed in [Post-Quantum Readiness](post-quantum-readiness.md), the
|
||||
transport layer (TLS 1.3, Noise\_XX) uses classical-only cryptography. An
|
||||
adversary performing harvest-now-decrypt-later (HNDL) could record transport
|
||||
traffic today and decrypt it with a future quantum computer, revealing transport
|
||||
transport layer (QUIC/TLS 1.3) uses classical-only ECDHE. An adversary
|
||||
performing harvest-now-decrypt-later (HNDL) could record transport traffic
|
||||
today and decrypt it with a future quantum computer, revealing transport
|
||||
metadata.
|
||||
|
||||
**Impact:** Future exposure of transport metadata (not content, assuming
|
||||
hybrid KEM is active for MLS).
|
||||
|
||||
**Mitigation path:** Adopt post-quantum TLS (ML-KEM in TLS 1.3 handshake) when
|
||||
`rustls` supports it. Investigate post-quantum Noise patterns.
|
||||
`rustls` supports it.
|
||||
|
||||
## Future Mitigations
|
||||
|
||||
@@ -313,14 +313,14 @@ communication patterns from traffic analysis.
|
||||
|
||||
| Threat | Current Protection | Gap | Planned Fix |
|
||||
|--------|-------------------|-----|-------------|
|
||||
| Passive eavesdropper | TLS + Noise + MLS (3 layers) | Traffic analysis | Padding, Tor |
|
||||
| Active MITM | TLS 1.3 + Noise\_XX | Self-signed certs | Cert pinning, CA |
|
||||
| Passive eavesdropper | TLS 1.3 + MLS (2 layers) | Traffic analysis | Padding, Tor |
|
||||
| Active MITM | TLS 1.3 (QUIC) | Self-signed certs | Cert pinning, CA |
|
||||
| Compromised server | MLS E2E encryption | Metadata visible | Sealed Sender, PIR |
|
||||
| Compromised client | FS + PCS | Current epoch exposed | Periodic Updates |
|
||||
| Spam/flooding | None | No auth on DS | AUTHZ\_PLAN |
|
||||
| Key substitution | None | BasicCredential only | Key Transparency |
|
||||
| Quantum adversary (content) | Hybrid KEM (M5+) | Pre-M5 messages | Deploy hybrid ASAP |
|
||||
| Quantum adversary (transport) | None | Classical TLS/Noise | PQ TLS, PQ Noise |
|
||||
| Quantum adversary (transport) | None | Classical TLS (ECDHE) | PQ TLS |
|
||||
|
||||
## Related Pages
|
||||
|
||||
|
||||
Reference in New Issue
Block a user