[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Speaking of cryptography

Roger Dingledine wrote:
On Tue, Jan 05, 2010 at 11:26:36PM +0100, moris blues wrote:
i red about: Speaking of cryptography,
check for bad values of g^x, g^y...

apparently is a MIM-attack to the DH available. What options are there to protect themselves against.

I assume you're talking about

You should also read

It still is the possibility to use the MQV HMQV protocol.

My question then is why it is not used.
Is it possible to implement the MQV as a substitute for DH?

No idea. Somebody clueful in crypto would have to figure that one out,
and then convince somebody that's both clueful in crypto and well-known
in the Tor community to believe it.

Writing it up as a research paper and getting it published would be the
best approach. Writing it up as a Tor proposal and including a thorough
security/performance/transition analysis might work too. Identifying
further problems in the current approach would encourage us to switch


Forget about MQV and HMQV ... they are flawed. Look at FHMQV (http://eprint.iacr.org/2009/408) or JFK(i|r) (http://people.csail.mit.edu/canetti/materials/jfk.pdf) instead.

JFKi is what we use in Freenet (http://wiki.freenetproject.org/JFki)... In tor's case JFKr would probably make more sense though. But again, we had a different threat model and where trying to protect ourselves from DoS (memory and CPU). Before that we were using a signed-DH exchange checking for bad values like tor does at the moment and as far as I know that is still believed to be secure nowadays.


PS: They are latter revisions of the JFK paper... but I can't find it in my bookmarks.

To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/