[tor-bugs] #18221 [Tor]: Validate our DH parameters to prevent socat-type fails.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 4 15:08:27 UTC 2016
#18221: Validate our DH parameters to prevent socat-type fails.
-----------------------------+------------------------------------
Reporter: yawning | Owner:
Type: enhancement | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: tor-core crypto | Actual Points:
Parent ID: | Points:
Sponsor: |
-----------------------------+------------------------------------
Comment (by yawning):
Replying to [comment:8 bugzilla]:
> If an adversary could make a fallback in TLS session, then it'd be
seamless for the user.
That requires breaking TLS, or the relay being malicious. In both cases,
you lose regardless of what cipher suite you're using.
> > Use P-256
> It's not so good as it seems. 256-bit PK is theoretically strong as
128-bit AES key, but 112-bit can be broken, and the same for 128-bit in
the near future. And what's then? Urgently disable P-256 fallback from
P-384?
Sigh.
If anything I'd move to X448 over P-384, but there's not much point when
ntor is X25519 based, and relay identities are signed with Ed25519.
Assuming you aren't doing anything clever with batch attacks (which aren't
applicable to properly implemented P-256, X25519, or X448), public key
cryptography with 112/128 bit security levels require a quantum computer
to break.
It's also worth nothing that to get a 128 bit security level with classic
DH, you need a group that is at least 3248 bits, which would have
catastrophic performance implications.
Anyway, this is orthogonal to the ticket.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18221#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list