[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Padding prop224 REND1 cells to blend them with legacy cells

To: teor <teor2345@xxxxxxxxx>, tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Padding prop224 REND1 cells to blend them with legacy cells
From: George Kadianakis <desnacked@xxxxxxxxxx>
Date: Wed, 20 Sep 2017 13:42:56 +0300
Cc: Ian Goldberg <tor@xxxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 20 Sep 2017 06:43:17 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1505904180; bh=TRz/RajuGkV+uxn5AV/0vtTwaeSCK+ar9Iq+FMv2Qjs=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=ALRzv/5kTnEImGFLLQ8N1cuM7IgtPfRaXjy2SEuhIlpoCbx79Hl9zUEKMj/9+Z/2D vIDOA77BIPmJtm7Ab2h8BV5G2pPBE443cxf/9jUbEAsa6hS0oQbqkEd9M8MYN15Jk1 JTjRKC0uLB9tlyl1QSkR9HstALeIXXuMMMdgcDWY=
In-reply-to: <7F1CE88E-11FF-491F-A7D3-61D6C2176943@gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <87o9q67noh.fsf@riseup.net> <7F1CE88E-11FF-491F-A7D3-61D6C2176943@gmail.com>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

teor <teor2345@xxxxxxxxx> writes:

>> On 20 Sep 2017, at 00:44, George Kadianakis <desnacked@xxxxxxxxxx> wrote:
>> 
>> Legacy RENDEZVOUS1 cells are bigger than the prop224 ones. The prop224
>> spec suggests we pad the new cells so that they look similar in size to
>> the legacy ones.
>> 
>> ...
>> 
>> The suggestion is to pad the prop224 cells to 168 bytes using random data.
>> 
>> Would that work? My main question is whether the g^y part of the legacy
>> cell has any distinguishers that could distinguish it from random data.
>> It's encoded using OpenSSL's BN_bn2bin() and it's a 1024 bit DH public
>> key. Are there any algebraic or openssl structure distinguishers we
>> should be worrying about, or is random data sufficient to mask it out?
>
> What's the threat model here?
>
> I ask because regardless of whether the RENDEZVOUS1 cell plaintext is
> distinguishable between v2 and v3, the rend point can distinguish v2 and
> v3 using this one neat trick:
> * if the service extends using TAP, the protocol is v2
> * if the service extends using ntor, the protocol is v3
>

Thanks for the discussion and research, Ian and teor! 

I summarized the findings here: https://trac.torproject.org/projects/tor/ticket/23420#comment:5

Not sure what's the right approach here.

Perhaps I'm fine with doing nothing at this point, and figuring this out
in the future if v4 ever comes.

Cheers!
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Padding prop224 REND1 cells to blend them with legacy cells
  - From: George Kadianakis
- Re: [tor-dev] Padding prop224 REND1 cells to blend them with legacy cells
  - From: teor

Prev by Author: [tor-dev] Padding prop224 REND1 cells to blend them with legacy cells
Next by Author: Re: [tor-dev] Padding prop224 REND1 cells to blend them with legacy cells
Previous by thread: Re: [tor-dev] Padding prop224 REND1 cells to blend them with legacy cells
Next by thread: Re: [tor-dev] tor-dev Digest, Vol 80, Issue 10
Index(es):
- Author
- Thread