[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #5460 [Tor Client]: Write proposal(s) to evaluate circuit crypto authentication
#5460: Write proposal(s) to evaluate circuit crypto authentication
------------------------+---------------------------------------------------
Reporter: mikeperry | Owner: nickm
Type: defect | Status: assigned
Priority: major | Milestone: Tor: 0.2.4.x-final
Component: Tor Client | Version:
Keywords: | Parent: #5456
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm):
Replying to [comment:5 arma]:
> Replying to [comment:1 rransom]:
> > BEAR/LION/LIONESS are not âself-authenticating cryptoâ. They are
large-block block ciphers which ensure that any change to a block's data
on one side of an honest relay completely scrambles the block's data on
the other side. They would need to be accompanied by an end-to-end MAC.
>
> Even if accompanied by an end-to-end mac, isn't that insufficient? If I
can mangle a cell, and detect mangling, and it still gets to the other
end, that sounds like a tagging attack to me. It's not as fine-grained a
tagging attack sure, but if the goal is "cause circuit failure at the 2nd
hop, not the third" then it's not going to do it, right?
"It Depends". The biggest problem with the current tagging attack is that
a successfully tagged circuit (one where the attacker observes the tag) is
recoverable by the attacker. Either a whole-cell encryption approach or a
per-hop MAC approach would solve *that*. (As for the "it's still a tag"
argument... it's not clear that "the whole circuit gets destroyed away
suddenly" is much worse as a tag than "the whole circuit turns to junk
suddenly.)
I wrote a draft draft draft today, and I'm showing it to as some naive-
about-tor/smart-about-crypto people to try to make sure it's readable.
I'll give it another editing pass after that, assign it a proposal number,
and call this ticket closed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5460#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs