[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #7202 [Tor]: Implement ntor handshake or its successor

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #7202 [Tor]: Implement ntor handshake or its successor
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 13 Dec 2012 20:31:42 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 13 Dec 2012 15:31:51 -0500
In-reply-to: <047.df1dbe4967cdb9af27c55842e7ce529c@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.df1dbe4967cdb9af27c55842e7ce529c@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#7202: Implement ntor handshake or its successor
--------------------------------+-------------------------------------------
 Reporter:  karsten             |          Owner:                    
     Type:  project             |         Status:  needs_review      
 Priority:  normal              |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor                 |        Version:                    
 Keywords:  SponsorZ tor-relay  |         Parent:                    
   Points:                      |   Actualpoints:                    
--------------------------------+-------------------------------------------

Comment(by mikeperry):

 What is the tor-dev post discussing the checks on X for this curve? (There
 are at least 4 or 5 threads on circuit handshakes with different subjects,
 and the only thread I see with ntor in the subject is not talking about
 ntor.)

 Either way, I still think the source, the spec or both should explain why
 we can omit the checks on X and/or Y for our curve choice, and perhaps
 cite the curve25519 paper pages or relevant material if the answer is
 buried in there. In every other DH-esque protocol, omitting checks that
 g^q = 1 and identity checks on keys is asking for critical vulnerability..
 I do *not* think the new comment does this. It only says "beware of
 dragons on other curves!". It doesn't say why our curve is dragon-proof by
 default.

 Speaking of g^q == 1 check, I assume we also know this is true for our g=9
 choice because of some deep curve25519 magic used to construct the
 subgroup?

 Forgive me for still thinking of this problem in terms of Z_p, but if we
 write our protocols such that only people who already understand both ECC
 and the deep magic of our specific curve choice can verify their
 correctness, we're begging for mistakes to slip through unnoticed due to
 lack of eyeballs.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7202#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #7722 [Tor]: Accounting seems broken on sparcs
Next by Author: Re: [tor-bugs] #7202 [Tor]: Implement ntor handshake or its successor
Previous by thread: Re: [tor-bugs] #7202 [Tor]: Implement ntor handshake or its successor
Next by thread: Re: [tor-bugs] #7202 [Tor]: Implement ntor handshake or its successor
Index(es):
- Author
- Thread