[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Payload encryption

To: mixminion-dev@freehaven.net
Subject: Payload encryption
From: George Danezis <gd@theory.lcs.mit.edu>
Date: Fri, 31 May 2002 10:29:55 -0400 (EDT)
Delivered-To: archiver@seul.org
Delivered-To: mixminion-dev-outgoing@seul.org
Delivered-To: mixminion-dev@seul.org
Delivery-Date: Fri, 31 May 2002 10:29:56 -0400
Reply-To: mixminion-dev@freehaven.net
Sender: owner-mixminion-dev@freehaven.net

It has been discussed many times in the past but I do not seem to remember 
if we have reached a final conclusion.

*How should we do the encryption of the payload?*

Motivation: 
1) We do not want the payload to be in clear because that 
provides information to an adversary that performs tagging attacks. The 
main concern is reply blocks where the sender can be the victim of a low 
bandwidth tagging attack if his message is modified on the first leg of 
its journey. NOTE: if a tagging attack was performed the decryption of the 
second header will yield junk and the message will get dropped on the next 
mix. (which could give away some information).
2) We do not want to payload in clear since the contents of the message 
could be used to extract some information about the parties 
communicating.

Difficulties: 
1) Need to link the public key used to encrypt the message to the reply 
block (so that it cannot be exchanges for another one).
2) The body should be undistinguishable from random noise. (not sure if 
RSA has this property).

Proposed Solution (open for comments):

Constructor of the SURB:

They choose an RSA public key with a modulus that is large enough for any
bits in the ciphertext not to have any bias (the highest will in practice
but it will be difficult to measure it using only one message).  
Alternativelly (or additionally) we use a key private RSA construction.
The RSA key can be choosen using a PRNG seeded by a key derived form the 
key included in the stateless return address. Therefore when the messge is 
received the RSA private key can be recreated (this maitains the staeless 
properties)

The hash of the public key is used as padding for the SURB, and therefore
is included in the hash inside all the sub-headers. That should avoid a
message encrypted under the wrong public key to travel using the SURB.
(transforms an otherwise passive attack into an active attack)

Creator of payload

Check that the hash of the RSA key hash is the one contained in the SURB.

Add at the head of the Payload a Nonce of 128 bits and the Hash of the
payload (160 bits) and process the message. Encrypt the payload using
LIONESS (or any other AONT) using a fixed key (in fact this is a Package
transform). Then encrypt the 128 first bytes using RSA.

Please comment/propose other schemes etc...

Yours,

George

Prev by Date: a better explanation of "header-swap is not perfectly indistinguishable"
Prev by thread: a better explanation of "header-swap is not perfectly indistinguishable"
Index(es):
- Date
- Thread