[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
From: Watson Ladd <watsonbladd@xxxxxxxxx>
Date: Mon, 12 Mar 2012 09:40:18 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 12 Mar 2012 10:40:35 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=wToeBjSwOG0P4jxTNfCz+ZcqtB4uSSLEK+Xm29DeyaY=; b=JnkuWQwpFwHHnlhyDwtfROzwCo4GVYxp/BC714ae4LJ2ePdvO2mN3SR3lLAOAg1jO3 loVs3gTcWCLkk8iniqo5zlqJ//Lj4Bnpr+KIqDhZK2i08t1wVvupUg4LeUJIrgsDBX59 Tq5sBtDs5CMhfSUJEfRDmNH2+MOYBk0FOrmql0bj3hi+JoHb2+/+dmfAfaK85uowhaOo Iz0Gy9w4dapLTh5ZsOxQR67NiMq4s0dlQxNEf4bj+QpGUT+fW+LZK+P47bBvHK9CB5qs Z+6nW+JVbJgl2CY5PsLJBql02t7uruAsJmEzrBQAjsL+eFyIB1azvaWg9oV7W5CHseGE Fnwg==
In-reply-to: <CABqy+srgSL8-_LAa9h1HJv6K42DqthOw3rJ=pdKkhbqks73RuA@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CACSd=o4B4RTWy4+jRpvEdUc0N+jS1DNiT0xAOUhQJjbAcjmgbQ@xxxxxxxxxxxxxx> <CABqy+sqxX4Cv_K1mLNBY7CW+--bUBwFhZtoqKNCH6ONdKGzaGg@xxxxxxxxxxxxxx> <CACsn0ckmTiBdagGLbZaDVZTfhpcP2-VtstCGyZuQC4hwnxagZQ@xxxxxxxxxxxxxx> <CABqy+spQ0R81-a26vt4hunE-nyA1k_6eLe5E5FP0jWktuk+eJg@xxxxxxxxxxxxxx> <CACsn0cnR8G18uOyVqDkOvDbYKkASoS574muaeCS9Si46-y5zxQ@xxxxxxxxxxxxxx> <CABqy+srgSL8-_LAa9h1HJv6K42DqthOw3rJ=pdKkhbqks73RuA@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx

On Mon, Mar 12, 2012 at 9:04 AM, Robert Ransom <rransom.8774@xxxxxxxxx> wrote:
> On 2012-03-12, Watson Ladd <watsonbladd@xxxxxxxxx> wrote:
>> On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom <rransom.8774@xxxxxxxxx>
>> wrote:
>
>>> (The BEAR/LION key would likely be different for each cell that a
>>> relay processes.)
>> Different how: if we simply increment the key we still remain open to
>> replay attacks.
>
> The paper proves that BEAR and LION are 'secure' if the two (three?)
> parts of the key are 'independent'. ÂChoosing the subkeys
> independently is too expensive for Tor, but the standard way to
> generate 'indistinguishable-from-independent' secrets is to feed your
> key to a stream cipher (also known as a 'keystream generator').
> Incrementing that stream cipher's key after processing each cell would
> indeed prevent replay attacks (unless the stream cipher is something
> really horrible like RC4), but it's probably easier to just take the
> next 2n (3n?) bytes of keystream.

As I understand the tagging attacks of our favorite scavenger they
repeat a cell, turning it and all following cells in a circuit into
gibberish. This causes the circuit to close. I don't understand how
changing keys after each cell affects this attack: we still get
gibberish when a cell is repeated, precisely because the key changes.
>
>>>> Losing semantic security is a Bad Thing. I'll freely admit there are
>>>> issues with incorporating a leak of circuit length into the protocol,
>>>> as well as possibly (depending on details of TLS) leaking what lengths
>>>> end where to a global adversary.
>>>
>>> An end-to-end MAC inside the BEAR/LION wrapper should provide all the
>>> security properties we need (note that the MAC key would also need to
>>> be different for each cell).
>> So we need to include nonces with each cell, which we need to do anyway.
>
> No -- each cell needs a different nonce. ÂHopefully the nonce won't
> need to be sent with every cell.
We can of course not send the nonce with each cell, incrementing on
successful arrival.
But why does the MAC key need to be different for each cell? MACs take
nonces to prevent replay attacks.
Anyway, you probably have something much more final figured out, which
I should wait to poke holes in when you propose it.
>
Sincerely,
Watson Ladd


-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neitherÂ Liberty nor Safety."
-- Benjamin Franklin
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Robert Ransom
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: unknown

References:
- [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: The23rd Raccoon
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Robert Ransom
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Watson Ladd
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Robert Ransom
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Watson Ladd
- Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
  - From: Robert Ransom

Prev by Author: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
Previous by thread: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
Next by thread: Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks
Index(es):
- Author
- Thread