-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 23/05/14 13:16, Philipp Winter wrote:
- ScrambleSuit's framing mechanism is vulnerable to this attack: <http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf> In a nutshell, the receiver needs to decrypt the ScrambleSuit header before it is able to verify the HMAC which makes it possible for an attacker to tamper with the length fields. While there are probably simpler attacks, it would be nice to have a fix for this problem.
In the next version of the Briar transport protocol we're addressing that problem by dividing each frame into two parts. The first part is a fixed-length header, the second is a variable-length body. Each part is separately encrypted and MACed. The header contains the length of the body. This requires two MACs per frame, but I prefer that to the alternatives: using fixed-length frames, or using the decrypted length field before checking whether it's been tampered with. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJTf2xRAAoJEBEET9GfxSfMdPIH/0YQ+9d0HBl2Nj4imSKwe6tz 6OWKqgL5Vqd/Qvq7/vSwtHVY+yY/+C1dmHGLFAO+6W12OHUNdcylcavT/425SrVx GEcvCMhAKzAu/QUI/b8vMMCPvjwfMgN35SONGEPfuhBAZm3+4oF8GiKs/o6+7nrk XCmvYZ8btupoVNPdNUhktjkFK3KhW4iYpiyYJzqtJ8/ip+5EABHdj7ATV6QJU02S 7UnXrUEnT5XBbi3jcod7MaN5YF/xtdXKzfYE2uoiJyi5KK2zHTorC4J6STe98kKR ygnipgWv+kut5izHwrDfoig+yGEFfui0CYMTyJZGtGcdk1VhUnhiFs8nndDWBtk= =jite -----END PGP SIGNATURE-----