[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #9719 [Tor]: Reuse Y in ntor



#9719: Reuse Y in ntor
-------------------------+---------------------
 Reporter:  rransom      |          Owner:
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor          |        Version:
 Keywords:               |  Actual Points:
Parent ID:  #9662        |         Points:
-------------------------+---------------------
 `Y` serves two purposes in ntor: it provides forward secrecy, and it
 provides freshness (i.e. it ensures that the resulting session key will
 never be used for more than one session).

 Forward secrecy only requires that `y` be reasonably short-lived.
 Changing it every 5 minutes is more than adequate.

 Freshness could have been obtained by sending a server-provided nonce in
 the handshake, and including that nonce in every hash performed by ntor
 (and thus in the resulting key).  Unfortunately, Tor's current ntor
 protocol doesn't allow for a nonce.

 The best that can be done without a protocol change is:
  * store `(y, Y)` on a per-thread basis;
  * generate a secret SipHash key `k` along with each `(y, Y)`;
  * keep a per-thread 2^14^-bit replay-detection Bloom filter of the `bX`
 values computed during the server handshake, using SipHash as the hash and
 `k` as the key;
  * if the Bloom filter cannot prove that `bX` computed during a handshake
 is new, generate a new `(y, Y)` and `k`, and clear the Bloom filter.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9719>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs