Adopting the Noise Key Exchange in Tox - Tobias "Tobi" Buchberger
rc3-franconiannet - franconian.net talks - 12/27/2020
Tox  is a free and open source peer-to-peer instant messaging protocol and implementation, that aims to provide secure messaging. It’s intended as an end-to-end encrypted (E2EE) and distributed Skype replacement. Tox’ cryptography is based on the NaCl library from Daniel J. Bernstein . The cryptographic primitives for the key exchange (X25519), authentication (Poly1305) and symmetric encryption (XSalsa20) are state of the art peer-reviewed algorithms.
Unfortunately Tox’ authenticated key exchange (AKE) during Tox’ cryptographic handshake is a "home-brewed" cryptographic protocol (remember: do not roll your own crypto!) and is known to be vulnerable to key compromise impersonation (KCI) attacks . In this talk we will show why this vulnerability is challenging to exploit in practice. However, we will also present a fix to this vulnerability by designing and implementing a new cryptographic Tox handshake with formally-verified security properties.
KCI is a vulnerability of AKE protocols, which in this case could enable an attacker, who compromised the static long-term private X25519  key of a Tox user Alice, to impersonate any other Tox user (with certain assumptions) to Alice ("reverse impersonation"). Furthermore, this would enable this attacker to perform a Man-in-the-Middle (MitM) attack and therefore tampering of exchanged messages. X25519 key pairs, that are necessary for the distributed hash table (DHT), make an actual KCI-attack more complex as suggested in the initial vulnerability report by Jason A. Donenfeld.
The Noise Protocol Framework  from Trevor Perrin (co-author of Signal ) was used to design a new KCI-resistant Tox’ handshake. The Noise Protocol Framework is intended to use by protocol designers to create secure channel protocols based on Diffie-Hellman (DH) key agreement. Noise provides different handshake patterns for different use cases. These patterns define a sequence of DH operations to calculate a shared symmetric session key. The security properties of these patterns are formally verified. These security properties can include forward secrecy, identity hiding and most notably KCI-resistance. A handshake pattern is instantiated by DH functions, cipher functions and hash functions to give a concrete Noise protocol. Such Noise protocols are already used in some applications, like WireGuard VPN . The Noise protocol used in Tox is Noise_IK_25519_ChaChaPoly_SHA512.
The Noise-C library from Rhys Weatherley  was used to implement the new AKE in c-toxcore . The implementation is currently in proof-of-concept state and will be further improved. In future work, instead of using the Noise-C library, which supports most of Noise’ handshake patterns and all cryptographic primitives, only the Noise protocol used in the Tox handshake will be implemented in c-toxcore. This will remove Noise-C as a dependency (i.e the only other dependency is NaCl/libsodium), reduce source lines of code and therefore reduce the attack surface. Noise also provides functions to further improve security, like session re-keying, which could also be adopted in Tox.
Terminology in context of Tox:
* Tox is the name of the protocol in general
* The implementation of Tox is toxcore - a network library (see )
* The clients (using toxcore) have specific names (e.g. qTox )
* Full Master Thesis: https://pub.fh-campuswien.ac.at/obvfcwhsacc/content/titleinfo/5430137
*  https://tox.chat/
*  https://nacl.cr.yp.to/
*  https://github.com/TokTok/c-toxcore/issues/426
*  https://ed25519.cr.yp.to/
*  https://noiseprotocol.org/
*  https://signal.org/docs/
*  https://www.wireguard.com/
*  https://rweather.github.io/noise-c/index.html
*  https://github.com/TokTok/c-toxcore
*  https://github.com/qTox/qTox