[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: New key negotiations

On Sun, Sep 03, 2006 at 11:03:46AM -0400, Watson Ladd wrote:
> Is it possible to change the key negotiation method in a
> backwards-compatible way? I see no indication in the torspec.txt of this
> being possible. So is the removal of an exponentiation by client and
> server worth the price of a break with old clients and servers?

We do plan on versioning the protocol soon, some time in the next
version or two.  The plan for doing this with circuit negotiation is
to add a note in router descriptors to indicate which circuit protocol
a given router speaks.

It isn't too likely that the protocol you describe will go in, though.
The problem with our current key setup and authentication protocol is
not _just_ that it's slow, but that it's fragile -- although there is
a security proof (by Ian Goldberg in PET 2006 [1]), the proof relies
on (previously) unintended implementation details, and the paper
argues that the protocol is easy to mis-implement.

Nevertheless, the current key negotiation protocol *does* have a
correctness proof.  If we replace the key negotiation protocol, we'll
do it with something _more_ proven and well-established, not less.

It does look like a cool idea, though.  You should probably see
whether something similar exists in the literature, and whether any of
the attacks from the literature work on your proposal.  Just because
it isn't ready for Tor, doesn't mean it's not worth pursuing.

[1] http://www.cypherpunks.ca/~iang/pubs/torsec.pdf

Nick Mathewson

Attachment: pgpzlg2gh7ICJ.pgp
Description: PGP signature