[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Some draft notes on migrating Tor's ciphersuites

To: or-dev@xxxxxxxxxxxxx
Subject: Re: Some draft notes on migrating Tor's ciphersuites
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Fri, 31 Dec 2010 22:28:41 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Fri, 31 Dec 2010 22:28:46 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type:content-transfer-encoding; bh=staM6Sh8Hg5yCNlq3Bws5ylPvNGkZyQuDEEGDVW0R28=; b=ryKcGVb/Sn8VNE1xavU4PDzseLSzyw8y/ctsiXIIAKDuyb2zb3YXAOYc0cFDZZCsU2 8x8WirrA1pPRj9YndvzS5g/O1uxawWSvlbWPrKZ+HOu+FPl0zb5ISXONedHCKgG90HBN fMZJM3Gqo0+8Q3PVmFOmsnLzPKSC1NJWKDQ5g=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=f58Edo+K17RxOtIlZdRigv9hifxuiujpqNa7hxndAHwj6n2bgaqckpkzw2z8hx7mgU GuVzrD8rA07Hcm+an+wZBUQAiqFQMqTefHEM0VIsmjHj8Pa35+4owfVgsAaejivW+fsJ WUN5WL7gIm+ZbDiiD4rBJjJBlGO5yCJIs7O3k=
In-reply-to: <20101231131722.592084fa@xxxxxxxxx>
References: <AANLkTi=4iqyunm23SmynY9PkeH2vYgXM6d5tN7ort9+5@xxxxxxxxxxxxxx> <AANLkTik_yWFLVEdCV+vVpLaqHK2tFL4MD41noBjM=mOZ@xxxxxxxxxxxxxx> <AANLkTi=TZRKRpxxUuB8cmns0x-xC=5eW8QFaOvsUp9G-@xxxxxxxxxxxxxx> <AANLkTikuPQR5UVj92A6c439CkRtE7Vvqyj3iVXUpodUS@xxxxxxxxxxxxxx> <20101231131722.592084fa@xxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

On Fri, Dec 31, 2010 at 4:17 PM, Robert Ransom <rransom.8774@xxxxxxxxx> wrote:
> On Sun, 19 Dec 2010 08:46:13 -0500
> Watson Ladd <watsonbladd@xxxxxxxxx> wrote:
>
>> On Sat, Dec 18, 2010 at 10:34 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
>
>> > You're right that it's important to limit partitioning opportunities
>> > in any protocol revision; I tried to go over that in section 2, but we
>> > shouldn't assume that I've said the last word on this.  We should
>> > continue to look for ways to revise and improve whatever we come up
>> > with to get the partitioning and other undesirable things down to a
>> > minimum.
>
> My current plan to minimize partitioning of the client anonymity set is:
>
> * The directory authorities should specify lists of cryptographic
>  primitives (identity key signature systems, circuit-extension
>  handshakes, circuit ciphersuites, etc.) that relays are permitted to
>  support in the consensus.

This should probably incorporate allowable key sizes.  We don't want
some twit generating 16384-bit identity keys just to slow down all the
clients, but we also don't want somebody using 512-bit RSA keys.

> * The directory authorities should specify lists of cryptographic
>  primitives that clients should consider using in the consensus.
>
> * Each relay should specify lists of cryptographic primitives that it
>  is willing to use in its descriptor, ordered by the relay's
>  preference (e.g. the relay puts its favorite primitive in a list
>  first).

Hm.  If this involves multiple onion keys, this can potentially bloat
server descriptor sizes; we should consider carefully how we can avoid
that.  Perhaps there should be an upper bound on how many onion keys
you can advertise.

> * A client should select the first cryptographic primitive in a relay's
>  list that (a) the consensus recommends that clients use, and (b) the
>  client supports.

Hm. This puts the onus on relay operators of picking the best
primitives.  I'm not sure that's such a great idea.  Perhaps the
client should pick whichever method supported by both the client and
the relay that the *consensus* recommends first.

> * The Tor developers should not introduce new cryptographic primitives
>  between two stable releases in the same branch.
>
> The Tor client will need to support torrc options that override the
> lists of recommended cryptographic primitives in the consensus in order
> to allow testing of not-yet-recommended primitives on the public Tor
> network, but the manual page will need to warn explicitly that setting
> those options will harm a Tor user's anonymity.

One thing we will need to think about here is the risk of having
seldom-used code.  Remember the time that GPG had broken ElGamal keys
for ages, and it went unnoticed since almost nobody used ElGamal keys?
(CVE-2003-0971)  More code does come with more risk.


> This plan relies on the directory authorities not recommending a new
> cryptographic primitive until a large fraction of Tor clients support
> it.
>
>
>> One way is to be very conservative in suite choices so we don't have
>> to change them that often. I'm going to also go out on a limb and say
>> that we also want a crypto API like NaCL that lets us just say
>> enciphered=encrypt(key, unenciphered) and doesn't force us to worry
>> about padding or modes because this is a much simpler abstraction
>> layer and so offers less opportunity for mistakes that could threaten
>> security.
>
> I think that if we follow the plan above, we don't need to limit the
> number of cryptographic primitives of each type in order to preserve
> the client anonymity set.  It's more important to have at least two
> cryptographic primitives of each type implemented, even if we expect
> that few relays will prefer one of them, in order to ensure that we get
> the APIs for each primitive right.

I am a little skeptical that it will turn out to be quite this simple
once we design it, but at this point I think the easiest way to see
whether we can get away with a good design with all the properties we
want is to just try to make one, and see how it works out.

peace & happy new year,
-- 
Nick

Follow-Ups:
- Re: Some draft notes on migrating Tor's ciphersuites
  - From: Robert Ransom

References:
- Some draft notes on migrating Tor's ciphersuites
  - From: Nick Mathewson
- Re: Some draft notes on migrating Tor's ciphersuites
  - From: Watson Ladd
- Re: Some draft notes on migrating Tor's ciphersuites
  - From: Nick Mathewson
- Re: Some draft notes on migrating Tor's ciphersuites
  - From: Watson Ladd
- Re: Some draft notes on migrating Tor's ciphersuites
  - From: Robert Ransom

Prev by Author: Re: Some draft notes on migrating Tor's ciphersuites
Next by Author: Re: Proposal 171 (revised): Separate streams across circuits by connection metadata
Previous by thread: Re: Some draft notes on migrating Tor's ciphersuites
Next by thread: Re: Some draft notes on migrating Tor's ciphersuites
Index(es):
- Author
- Thread