[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
From: Nick Mathewson <nickm@xxxxxxxxxxxx>
Date: Tue, 4 Mar 2014 10:05:52 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 04 Mar 2014 10:06:06 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=DUJlseTQlOw9PUvfIaOxp2/ExSvdbFKloYp2t2UJeJY=; b=08OD0apUv4Qwec/nrDhudfBJriIlFOOnY48faDkgT9XiQ0OwhMs9GQNPYjoeg8pSs7 bWtOVyxcQuQQuJi2fTe2RGiYgg1kkuZkpiHPsQvYkUg7p2THG0m6Bdal8+//FliGHVDp FO0Wty/EXkEsR+il0AUfG45a5XnB5QJ7GFF7B96OhgHyCLPeSGFVuWmJ+xpIKkWk7/Cs hX3NcPzoYjp5jJhuW6PkPrxac4ZxjJ5+AWJh36RwbISM+S6hLEF9W1v7pLQgZ+vi3KVx tYklt/VACqySLgi+IzaxyVVmLzmdO09ZB+MvIVbMzNbcqQLUlhV/1DHyLOlLK2unicn1 zKMQ==
In-reply-to: <CACsn0cn_udmasLKK5Dov0uQuKsFy89_iKSfWPpKcigQ8v1Lhsw@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuw19p3nsyU46_BhaKi3vN4qR7Ati=dVZD8xj9_9Z=LBHg@xxxxxxxxxxxxxx> <CACsn0cn_udmasLKK5Dov0uQuKsFy89_iKSfWPpKcigQ8v1Lhsw@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Mon, Mar 3, 2014 at 10:37 PM, Watson Ladd <watsonbladd@xxxxxxxxx> wrote:

> How about 6: Tor server to server connections should use
> ECDHE+ChaCha20 or GCM_AES ciphersuites only?
> This closes the UKS hole that enabled this attack to happen, and
> probably is a good idea anyway.

To make sure I understand, it's the ECDHE that's the defense here:
unlike DHE, ECDHE implementations don't let the attacker pick an
arbitrary set of parameters which might not define a real group, and
so if ECDHE is used, the attacker can't force two connections to share
the same keys.

I guess this is another "defense in depth" item: as of Tor 0.2.4.x*,
the preferred ciphersuites are all ECDHE ones.  But that isn't quite
good enough, since non-ECDHE ciphersuites are still supported, so an
attacker can simply pretend not to support them when talking to the
client and the server.

It would be helpful to know what fraction of 0.2.4.x servers support
ECDHE ciphersuites today. That would let us figure out what obstacles
there might be to dropping non-ECDHE ciphersuites in the future.

* Assuming you're built with a good enough version of OpenSSL that
doesn't have ECC turned off.

best wishes,
-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
  - From: Watson Ladd

References:
- [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
  - From: Nick Mathewson
- Re: [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
  - From: Watson Ladd

Prev by Author: Re: [tor-dev] [RELEASE] Torsocks 2.0.0-rc4
Next by Author: Re: [tor-dev] [RELEASE] Torsocks 2.0.0-rc4
Previous by thread: Re: [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
Next by thread: Re: [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
Index(es):
- Author
- Thread