Add Noise Protocol (or equivalent) as alternative to SSL/TLS
84 views
Skip to first unread message
Marco Argentieri
Aug 17, 2020, 6:27:37 PM8/17/20
to grpc.io
Hello! I want to be able to use the Noise Protocol to securely perform mutual authentication and end to end encrypt the messages exchanged.
The naive way of doing this at the application layer would be to have all the methods to have the same message containing a bytes field with the serialized actual protobuf message, like:
The naive way of doing this at the application layer would be to have all the methods to have the same message containing a bytes field with the serialized actual protobuf message, like:
```
service Trade {
rpc SecureMethod(SignedMessage) returns(SignedMessage)
}
message SignedMessage {
service Trade {
rpc SecureMethod(SignedMessage) returns(SignedMessage)
}
message SignedMessage {
uint32 lenght = 1;
bytes payload = 2:
}```
Then grpc server would decrypt the given payload and deserialize the bytes to a defines protobuf message. (Just not sure if this naive method could work with streaming replys)
But, would be way nicer if a three act ECDH key exchnage for subsequent symmetric encryption could be done at grpc level (maybe using Credentials plugin API?)
I would like to keep using existing protobuf definition and do not do any additional encrypting/decrypting and subsequent serialization/deserialization at application level.
Any help on where/what to touch would be much appreciated.
But, would be way nicer if a three act ECDH key exchnage for subsequent symmetric encryption could be done at grpc level (maybe using Credentials plugin API?)
I would like to keep using existing protobuf definition and do not do any additional encrypting/decrypting and subsequent serialization/deserialization at application level.
Any help on where/what to touch would be much appreciated.
Easwar Swaminathan
Aug 19, 2020, 1:26:26 PM8/19/20
to grpc.io
Hi Marco,
I do not know enough the Noise protocol. But from what I understand, you are trying to perform mutual authentication and encryption.
In gRPC-Go, you can provide your own implementation of the TransportCredentials interface: https://godoc.org/google.golang.org/grpc/credentials#TransportCredentials which implements the Noise protocol. There should be corresponding APIs in the other languages supported by gRPC as well. Using this approach lets your application deal with application level data instead of transport level data.
Thanks
I do not know enough the Noise protocol. But from what I understand, you are trying to perform mutual authentication and encryption.
In gRPC-Go, you can provide your own implementation of the TransportCredentials interface: https://godoc.org/google.golang.org/grpc/credentials#TransportCredentials which implements the Noise protocol. There should be corresponding APIs in the other languages supported by gRPC as well. Using this approach lets your application deal with application level data instead of transport level data.
Thanks
Easwar
Christopher Warrington - MSFT
Aug 20, 2020, 12:53:23 PM8/20/20
to grpc.io
On Monday, August 17, 2020 at 3:27:37 PM UTC-7, Marco Argentieri wrote:
> I want to be able to use the Noise Protocol to securely perform mutual
> authentication and end to end encrypt the messages exchanged.
>
> I want to be able to use the Noise Protocol to securely perform mutual
> authentication and end to end encrypt the messages exchanged.
>
> ...
>
>But, would be way nicer if a three act ECDH key exchnage for subsequent
>symmetric encryption could be done at grpc level (maybe using Credentials
>plugin API?)
>
> I would like to keep using existing protobuf definition and do not do any
> additional encrypting/decrypting and subsequent
> serialization/deserialization at application level.
An alternative potential approach: bring up a WireGuard tunnel and perform
your authN there. Then, run gRPC in plain text over that tunnel.
--
Christopher Warrington
Microsoft Corp.
your authN there. Then, run gRPC in plain text over that tunnel.
--
Christopher Warrington
Microsoft Corp.
Marco Argentieri
Aug 29, 2020, 11:51:02 AM8/29/20
to grpc.io
> In gRPC-Go, you can provide your own implementation of the TransportCredentials interface
That's exactly what I'm looking for. There is an example or other project you can think of on how they implemented the interface? Thanks.Reply all
Reply to author
Forward
0 new messages