Re: [tor-dev] Attentive Otter: Analysis of xmpp-client

To: tor-dev@xxxxxxxxxxxxxxxxxxxx, Adam Langley <agl@xxxxxxxxxxxxxxxxxx>

Subject: Re: [tor-dev] Attentive Otter: Analysis of xmpp-client

From: Watson Ladd <watsonbladd@xxxxxxxxx>

Date: Tue, 8 Oct 2013 20:40:30 -0700

Delivery-date: Tue, 08 Oct 2013 23:40:44 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=O2hp0GpA3fPpXV83d0IVGkdwWiDalbuYI2k08jwtpd8=; b=tZNe3ekdfVF8jdAjaqqcv47rPMoG7B8zuvMIjNzmOaqp4ajdCRhYEKEzC84PxVeRZ9 FjFhRvYG7q/p1AHT+souDV6grUEOM76lMgx1Pgo+2S9zNSp8KdYhppvY7is3corrxnNg szPBoIqH8+KXbYkmW9ODbbDk7pkthR+vNpzUfeXy/2nBgJqDXVZOyOXtKKjYzhpXJqxw ZMWL49eBHhKrQd/+xG3TJBZzyf01s5CDllHxrGl8w3xx+Qx3a3lyzxq69zH5JM3FjlhL iOTOAN8BwCu4qG3uYvleR/mNlMM0FqUo0Dq0mzj6zTMkI/35NJ5gPMARkXtX8oR0ufuN EviA==

In-reply-to: <20131008234951.GL1940@xxxxxxxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <5252EDA6.9030305@xxxxxxxxxxxxxxxxx> <20131008234951.GL1940@xxxxxxxxxxxxxx>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Oct 8, 2013 at 4:49 PM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:

Jurre van Bergen:

>
> *OTR*
> OTR support comes from the Go crypto package:
> https://code.google.com/p/go.crypto/
> This library only has support for OTRv2 and not the latest OTRv3
> specification. If we want to be resistant to several attacks[1] Âon the
> OTR protocol, we need to reimplement the OTR protocol and update it to
> the latest version or, we use Cgo, which binds into libotr. (Open
> questions: OTR by default?, )
>
> [1]
> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=rep1&type=pdf

According to agl:
"The DH and DSA code uses Go's math/big library, which isn't constant
time."

He said these non-constant time Go primitives are used by OTR, and will
be used by TLS if they are specified by the negotiated cipher suite.

The easy fix is to make go.crypto constant time, for at least what we need.

If we are okay with bad performance this doesn't require much trickery for DH: saturated limb arithmetic modulo

a constant with a precomputed Barrett reduction tables is constant time.

DSA is harder because the modulus is provided as part of the key. I don't know how to do that in constant time.

So xmpp-client's OTR and TLS support would definitely need to be
rewritten to call out to a native code implementation or rewritten to
use new constant time Go primitives, independent of OTRv2 vs OTRv3.

--
Mike Perry

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neitherÂ Liberty nor Safety."
-- Benjamin Franklin

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev