On Sun, Nov 17, 2013 at 07:33:12PM -0800, David Stainton wrote:
Hi,
I noticed that because the obfsproxy api can sometimes buffer and resend smaller chunks of data. My simple use of Nacl stream_crypto to wrap each incoming data buffers will not work... that is because the client and server must keep synchronized nonce counters for the decrypt/encrypt to work... and in this case the client may send one large buffer and the server may receive many smaller buffers... trying to decrypt them with different nonces will of course fail.
https://github.com/david415/obfsproxy/tree/david-nacl-stream-withoutkeyexcha...
It seems like the solution is to write a super simple "framing protocol"... which is to say that I can first send a frame length; and on the receiving end simply read until frame length worth of data is consumed... and then apply the crypto_stream cipher on that frame with the correct corresponding nonce.
Super-simple framing protocols often fall victim to attacks in which the adversary messes with the length in the frame header. See, for example, "Plaintext Recovery Attacks Against SSH": http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
So be careful here.
- Ian