[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Another key exchange algorithm for extending circuits: alternative to ntor?

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Another key exchange algorithm for extending circuits: alternative to ntor?
From: Robert Ransom <rransom.8774@xxxxxxxxx>
Date: Sat, 11 Aug 2012 07:57:18 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 11 Aug 2012 03:56:38 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=9euCRoCykipY5GMLGLE5i63UTvEYz7Yx+v4CHzqG4+U=; b=blxH8pzUywpPqgUb5P5+DIfzFD1zMF5EKYSuMDjiIar1GtS0CBD3p6LD6W6n0v7Pis E0xcIze+7wmvjrefMyfT0C7Gd9qPUHcyPyX1dmor931ctEJvN9EWmRTPBvOdc60xO9RL WnwLsjebKtO1O6D8rvLzZ0GHksyJAz4UFOcXtSHlel/sxR6o+ienVFWvyj0/Zi7hXFEY TSxRKSmjiQ7znJRIcPSfv+bVwClZT/FO+rdMYBtN2eMTarOp3V6k2V9L/uC0gBXT3bTN /kkJkVZjW25oeE1v8wrMV75o4wSoyZiT3hcIeTxZD0KvmIxVBUlFIi788531qIjMJX7V ApIw==
In-reply-to: <CABqy+sqAbGfMS+1TbREJcjTM4ige41jHw461R5cZfMaJwaRT-w@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuxxE5njbvNQ+3ye17w6k7UATbe7Px6Aq_Fa1yBzOrxYXQ@xxxxxxxxxxxxxx> <CABqy+sqAbGfMS+1TbREJcjTM4ige41jHw461R5cZfMaJwaRT-w@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx

On 8/10/12, Robert Ransom <rransom.8774@xxxxxxxxx> wrote:
> On 8/8/12, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
>
>> http://www.infsec.cs.uni-saarland.de/~mohammadi/owake.html
>
> Also, where does this paper specify that the participants must check
> that public-key group elements are not equal to the identity element?
> That's rather important, as Tor's relay protocol is likely to break if
> an attacker can force a server to open additional circuits to an
> attacker using the same key material that a legitimate client's
> circuit has.

It occurred to me later that the server would know that H(g^(x_1*b +
x_2*y), g^y) is âfreshâ, and that the client would know that the
server would not use H(g^(x_1*b + x_2*y), g^(x_1), g^(x_2), g^y) as a
key with a party that presented some public key other than (g^(x_1),
g^(x_2)) to it, so I checked the paper for *that* defense against
tampering and found it in Figure 4.  (That is a critical detail of
this protocol, and not necessary to protect honest clients against key
reuse in ntor, so it should have been included in the specifications
of the protocol in Figures 3 and 5 and the first two paragraphs of
section 3.1.  Hopefully the authors will fix that too when they revise
their paper.)

I don't see any way to attack âAceâ with the client and server
ephemeral public keys included in the data passed to the KDF.

Robert Ransom
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Another key exchange algorithm for extending circuits: alternative to ntor?
  - From: Nick Mathewson
- Re: [tor-dev] Another key exchange algorithm for extending circuits: alternative to ntor?
  - From: Robert Ransom

Prev by Author: Re: [tor-dev] Another key exchange algorithm for extending circuits: alternative to ntor?
Next by Author: Re: [tor-dev] How to best support tor 0.2.3.x in Tor Browser Bundle?
Previous by thread: Re: [tor-dev] Another key exchange algorithm for extending circuits: alternative to ntor?
Next by thread: [tor-dev] How about virtual machines?
Index(es):
- Author
- Thread