[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
From: Watson Ladd <watsonbladd@xxxxxxxxx>
Date: Mon, 12 Mar 2012 08:18:07 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 12 Mar 2012 09:18:25 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=uGmAEtxFD+RWHofXOcG/kw+FLrpH8IP6zos4gsxt9U8=; b=v1bZkkrIO20MAPAbvyWkMnbKEpV5PyoL37QSNaIUAvC5N6v7ctwsCev6CcpRkivdAY tfgFHUwN4tv6Q/zG57bB03zY10R+g96PJXgp9Brgg2/ApFaCEJ7Fl3k2lxvAtlHN5QBZ wLYWVqY49YEHpVuVyikd10ATwOaB3NVflyG4pSqDYVsqelnP7eDoXKk837w0pBDRBH+X icpBqYCE4+wdJnPOgytWk/5OLxit+Nio6+LYJJtRpKSqzX71Me1hH5ncSz2b4I5IuOtJ 1X5cdDDygF4QGQMbWZVXv1OaLb1P/NOBLNDh1xiOYsf8UnR4TR9SoWB2vKGiS+eZcVtH IKpQ==
In-reply-to: <CABqy+spQ0R81-a26vt4hunE-nyA1k_6eLe5E5FP0jWktuk+eJg@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CACSd=o4B4RTWy4+jRpvEdUc0N+jS1DNiT0xAOUhQJjbAcjmgbQ@xxxxxxxxxxxxxx> <CABqy+sqxX4Cv_K1mLNBY7CW+--bUBwFhZtoqKNCH6ONdKGzaGg@xxxxxxxxxxxxxx> <CACsn0ckmTiBdagGLbZaDVZTfhpcP2-VtstCGyZuQC4hwnxagZQ@xxxxxxxxxxxxxx> <CABqy+spQ0R81-a26vt4hunE-nyA1k_6eLe5E5FP0jWktuk+eJg@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx

On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom <rransom.8774@xxxxxxxxx> wrote:
> On 2012-03-12, Watson Ladd <watsonbladd@xxxxxxxxx> wrote:
>> On Sun, Mar 11, 2012 at 8:32 PM, Robert Ransom <rransom.8774@xxxxxxxxx>
>> wrote:
>
>>> But http://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf and an
>>> end-to-end MAC is more likely as a solution to the end-to-end tagging
>>> attack, because (a) per-hop MACs would take up much more space in each
>>> cell and disclose the length of a circuit to the exit node, and (b)
>>> with per-hop MACs, if you can get a forgery accepted (which happens
>>> with probability 2^(-n), where n is the number of bits in the MAC, for
>>> any MAC that Tor could use), you know with probability 2^(-n) that the
>>> next hop is the last one.
>> You are going to have to be careful and explain this to me. I get the
>> leaking the length of a circuit and position in the chain. But we use
>> length 3 circuits in the current client node all the time, and if you
>> weren't the start or the end, you are the middle. The forgery
>> acceptance probability for Poly1305 is 2^-128. Forgery is not going to
>> happen.
>
> Non-truncated Poly1305 takes 16 bytes per relay, so it would eat up at
> least 48 bytes per 512-byte cell, and more on 4-hop circuits (which
> Tor clients do build fairly often) and hidden-service rendezvous
> circuits. ÂNon-truncated Poly1305 is not going to happen.
>
>
>> I also don't see what Bear/Lionness gets us. It does solve problems
>> with losing sync. It does so at a cost of determining when identical
>> ORs are sent, which happens a lot: think multiple http requests.
>
> What do you mean by "ORs"?
I ment cells: brain glitch.
>
> (The BEAR/LION key would likely be different for each cell that a
> relay processes.)
Different how: if we simply increment the key we still remain open to
replay attacks.
>
>> Losing semantic security is a Bad Thing. I'll freely admit there are
>> issues with incorporating a leak of circuit length into the protocol,
>> as well as possibly (depending on details of TLS) leaking what lengths
>> end where to a global adversary.
>
> An end-to-end MAC inside the BEAR/LION wrapper should provide all the
> security properties we need (note that the MAC key would also need to
> be different for each cell).
So we need to include nonces with each cell, which we need to do anyway.
>
>
> Robert Ransom
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neitherÂ Liberty nor Safety."
-- Benjamin Franklin
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Robert Ransom

References:
- [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: The23rd Raccoon
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Robert Ransom
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Watson Ladd
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Robert Ransom

Prev by Author: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
Next by Author: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
Previous by thread: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
Next by thread: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
Index(es):
- Author
- Thread