Re: Speaking of cryptography

[Paul Syverson <syverson@xxxxxxxxxxxxxxxx>]

On Wed, Jan 06, 2010 at 03:44:32AM -0500, Roger Dingledine wrote:
> On Tue, Jan 05, 2010 at 11:26:36PM +0100, moris blues wrote:
> > i red about: Speaking of cryptography,
> > check for bad values of g^x, g^y...
> > 
> > apparently is a MIM-attack to the DH available. 
> > What options are there to protect themselves against. 
> 
> I assume you're talking about
> http://archives.seul.org/or/announce/Aug-2005/msg00002.html
> 
> You should also read
> http://freehaven.net/anonbib/#tap:pet2006
> 
> > It still is the possibility to use the MQV HMQV protocol.
> > 
> > My question then is why it is not used.
> > Is it possible to implement the MQV as a substitute for DH?
> 
> No idea. Somebody clueful in crypto would have to figure that one out,
> and then convince somebody that's both clueful in crypto and well-known
> in the Tor community to believe it.
> 
> Writing it up as a research paper and getting it published would be the
> best approach. Writing it up as a Tor proposal and including a thorough
> security/performance/transition analysis might work too. Identifying
> further problems in the current approach would encourage us to switch
> faster.
> 

As a start on that research: we published some advantages of an
MQV-like protocol in "Improving Efficiency and Simplicity of Tor
circuit establishment and hidden services"
http://www.onion-router.net/Publications.html#dh-tor
Though we mention reasons to be hopeful about its security
we have not done an actual security proof yet (which I'll get to in
my copious free time), without which it is of course not to be
recommended for use in deployed Tor or perhaps even for more detailed
design exploration than we have already done.

aloha,
Paul 
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/