0

Nowadays I work maintaining an web application written in Node.js and we use HTTPS with TLS 1.2. We have to implement a new feature related to security on this application, all HTTP messages must be encrypted, and we will have all messages encrypted two times ultimately, one time using TLS and another through the new feature. We are studing the Noise Protocol to know if makes sense use it on this new feature, but from what I understand so far, the Noise Protocol would be an alternative to TLS. I'd like to know if makes sense use both protocols together, or if they are mutually exclusive.

We don't know how to utilize the Noise Protocol yet, if we simply pick up an implementation and include on the project or if the Node.js should offer an implementation like TLS. I found this implementation on GitHub: Noise-c.

Any clarification or help is welcome, thanks.

SEJPM
  • 46,697
  • 9
  • 103
  • 214
Humberto CorrĂȘa
  • 101
  • 3

1 Answers1

1

Using two transport protocols is not a good idea. You would double-encrypt your data. However, the symmetric ciphers are generally rather secure if applied correctly.

Besides double encrypting your data you would also get: double the security warnings to react to, double key management, double the initial handshake processing, double the latency.

If you want to encrypt twice it is probably better to perform additional end-to-end encryption / decryption on top of the point-to-point encryption that the TLS security offers. That way you can keep your messages secure over multiple point-to-point connections and after receiving them at the end points. For this you could device your own protocol or you could use web-security.

Generally it is better to perform encryption well once, instead of performing it badly twice. Bullet-proofing your TLS connection makes the most sense if you just require transport protocol security. Encrypting things twice should not be your goal. The goal is simply to secure your messages to the best of your ability.

The noise protocol seems to be in draft stage. Besides that, it seems a rather generic sum of possible algorithms more than an actual protocol. It seems that it mainly has been setup to explain the security behind WhatsApp rather than to be a protocol that you should consider. Just the formatting of the messages is already ill-defined, and it is unclear which kind of authentication method you should be using.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323