[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
From: Ian Goldberg <iang@xxxxxxxxxxxx>
Date: Mon, 12 Jul 2021 15:04:11 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 12 Jul 2021 15:04:32 -0400
Dkim-filter: OpenDKIM Filter v2.11.0 orthrus.uwaterloo.ca 16CJ4C0S021257
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uwaterloo.ca; s=default; t=1626116655; bh=tJkT40VlYUv8zN/Z+fvyz7WOYipYUBZ8U8zntNlMpd8=; h=Date:From:To:Subject:References:In-Reply-To:From; b=6R4dRS/G07WA49vEOKl2cHeVdxQOEzvTrLATmVf6zOrf4J+zp5fZUM+PzcXglf+0+ dXlLFx4N4vZT8vQh7TmkWumewDgCUGfKvHsGnz0G/2rxuhB+zRNvWz5e755F/3npAJ RXvecULnip/sIuJa8WZPx6L9/VbBMDac0tm/UvGs=
In-reply-to: <CAKDKvuwT_xVDK-W+RX=GkPvaK+0kY1oJA=S3a61+XajYzSY1sg@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwT_xVDK-W+RX=GkPvaK+0kY1oJA=S3a61+XajYzSY1sg@mail.gmail.com>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.9.4 (2018-02-28)

On Mon, Jul 12, 2021 at 12:01:47PM -0400, Nick Mathewson wrote:
> Both parties know that they used the same verification string; if
> they did not, they do not learn what the verification string was.
> (This feature is required for HS handshakes.)

I'm not sure the protocol you specify has this feature as written.  For
example, if the verification string has low entropy, the server could
brute-force the client's verification string (using the MAC to check its
guess).  This is unlike, say, OTR's SMP or a PAKE, in which each online
execution of the protocol allows the server just one guess.

But perhaps you don't actually need the property in as strong a form as
you wrote it, since the HS handshake application has high-entropy
secrets?
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
  - From: Nick Mathewson

References:
- [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
  - From: Nick Mathewson

Prev by Author: [tor-dev] A series of questions about Tor (m1 support, forward secrecy, v3 auth)
Next by Author: Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
Previous by thread: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
Next by thread: Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
Index(es):
- Author
- Thread