[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.



On Mon, Jul 12, 2021 at 12:01:47PM -0400, Nick Mathewson wrote:
> Both parties know that they used the same verification string; if
> they did not, they do not learn what the verification string was.
> (This feature is required for HS handshakes.)

I'm not sure the protocol you specify has this feature as written.  For
example, if the verification string has low entropy, the server could
brute-force the client's verification string (using the MAC to check its
guess).  This is unlike, say, OTR's SMP or a PAKE, in which each online
execution of the protocol allows the server just one guess.

But perhaps you don't actually need the property in as strong a form as
you wrote it, since the HS handshake application has high-entropy
secrets?
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev