On Sun, Sep 03, 2006 at 11:03:46AM -0400, Watson Ladd wrote: > Is it possible to change the key negotiation method in a > backwards-compatible way? I see no indication in the torspec.txt of this > being possible. So is the removal of an exponentiation by client and > server worth the price of a break with old clients and servers? We do plan on versioning the protocol soon, some time in the next version or two. The plan for doing this with circuit negotiation is to add a note in router descriptors to indicate which circuit protocol a given router speaks. It isn't too likely that the protocol you describe will go in, though. The problem with our current key setup and authentication protocol is not _just_ that it's slow, but that it's fragile -- although there is a security proof (by Ian Goldberg in PET 2006 [1]), the proof relies on (previously) unintended implementation details, and the paper argues that the protocol is easy to mis-implement. Nevertheless, the current key negotiation protocol *does* have a correctness proof. If we replace the key negotiation protocol, we'll do it with something _more_ proven and well-established, not less. It does look like a cool idea, though. You should probably see whether something similar exists in the literature, and whether any of the attacks from the literature work on your proposal. Just because it isn't ready for Tor, doesn't mean it's not worth pursuing. [1] http://www.cypherpunks.ca/~iang/pubs/torsec.pdf yrs, -- Nick Mathewson
Attachment:
pgpzlg2gh7ICJ.pgp
Description: PGP signature