Hi, all!
Here's Esfandiar Mohammadi's proposal for the Ace handshake. It should have been added as a numbered proposal back in July; I think I lost track of everything while the dev meeting was happening.
Please let me know if you have more proposals that should be assigned numbers but haven't gotten one yet.
Filename: 223-ace-handshake.txt Title: Ace: Improved circuit-creation key exchange Author: Esfandiar Mohammadi Created: 22-July-2013 Status: Open
History:
22-July-2013 -- Submitted 20-Nov-2013 -- Reformatted slightly, wrapped lines, added references, adjusted the KDF [nickm]
Summary:
This is an attempt to translate the proposed circuit handshake from "Ace: An Efficient Key-Exchange Protocol for Onion Routing" by Backes, Kate, and Mohammadi into a Tor proposal format.
The specification assumes an implementation of scalar multiplication and addition of two curve elements, as in Robert Ransom's celator library.
Notation:
Let a|b be the concatenation of a with b.
Let H(x,t) be a tweakable hash function of output width H_LENGTH bytes.
Let t_mac, t_key, and t_verify be a set of arbitrarily-chosen tweaks for the hash function.
Let EXP(a,b) be a^b in some appropriate group G where the appropriate DH parameters hold. Let's say elements of this group, when represented as byte strings, are all G_LENGTH bytes long. Let's say we are using a generator g for this group.
Let MUTLIEXPONEN (a,b,c,d) be (a^b)*(c^d) in some appropriate group G where the appropriate DH parameters hold. Let's say elements of this group, when represented as byte strings, are all G_LENGTH bytes long. Let's say we are using a generator g for this group.
Let PROTOID be a string designating this variant of the protocol.
Let KEYID be a collision-resistant (but not necessarily preimage-resistant) hash function on members of G, of output length H_LENGTH bytes.
Instantiation:
Let's call this PROTOID "ace-curve25519-ed-uncompressed-sha256-1"
Set H(x,t) == HMAC_SHA256 with message x and key t. So H_LENGTH == 32. Set t_mac == PROTOID | ":mac" t_key == PROTOID | ":key" t_verify == PROTOID | ":verify" Set EXP(a,b) == scalar_mult_curve25519(a,b), MUTLIEXPONEN(a,b) == dblscalarmult_curve25519(a,b,c,d), and g == 9 .
Set KEYID(B) == B. (We don't need to use a hash function here, since our keys are already very short. It is trivially collision-resistant, since KEYID(A)==KEYID(B) iff A==B.)
Protocol:
Take a router with identity key digest ID.
As setup, the router generates a secret key b, and a public onion key B = EXP(g,b). The router publishes B in its server descriptor.
To send a create cell, the client generates two keypairs of x_1, X_1=EXP(g,x_1) and x_2, X_2=EXP(g,x_2) and sends a CREATE cell with contents:
NODEID: ID -- H_LENGTH bytes KEYID: KEYID(B) -- H_LENGTH bytes CLIENT_PK: X_1, X_2 -- 2 x G_LENGTH bytes
The server checks X_1, X_2, generates a keypair of y, Y=EXP(g,y) and computes
point = MUTLIEXPONEN(X_1,y,X_2,b) secret_input = point | ID | B | X_1 | X_2 | Y | PROTOID KEY_SEED = H(secret_input | "Key Seed", t_key) KEY_VERIFY = H(secret_input | "HMac Seed", t_verify) auth_input = ID | Y | X_1 | X_2 | PROTOID | "Server"
The server sends a CREATED cell containing:
SERVER_PK: Y -- G_LENGTH bytes AUTH: H(auth_input, KEY_VERIFY) -- H_LENGTH bytes
The client then checks Y, and computes
point = MUTLIEXPONEN(Y,x_1,B,x_2) secret_input = | ID | B | X_1 | X_2 | Y | PROTOID KEY_SEED = H(secret_input | "Key Seed", t_key) KEY_VERIFY = H(secret_input | "HMac Seed", t_verify) auth_input = ID | B | Y | X_1 | X_2 | PROTOID | "Server"
The client verifies that AUTH == H(auth_input, KEY_VERIFY).
Both parties now have a shared value for KEY_SEED. They expand this into the keys needed for the Tor relay protocol.
Key expansion:
When using this handshake, clients and servers should expand keys using HKDF as with the ntor handshake today.
See also:
http://www.infsec.cs.uni-saarland.de/~mohammadi/ace/ace.html for implementations, academic paper, and benchmarking code.
Is it just me, or is this protocol MQV with the client generating a fake long term key? Sincerely, Watson Ladd
On Wed, Nov 20, 2013 at 08:36:30AM -0800, Watson Ladd wrote:
Is it just me, or is this protocol MQV with the client generating a fake long term key?
Well yeah sort of, but the "details" are crucial. In "Improving efficiency and simplicity of Tor circuit establishment and hidden services" (available on www.syverson.org or the anonbib) Lasse and I and presented a similar protocol and explicitly described how the similarity to and basis in MQV was a hopeful indicator that it was sound. But we didn't do a proper security analysis (in any model) in that paper, leaving that for future work. These authors found a vulnerability in that protocol, improved on it, and proved their protocol secure.
-Paul
Am 20.11.2013 um 18:19 schrieb Paul Syverson paul.syverson@nrl.navy.mil:
These authors found a vulnerability in that protocol, improved on it, and proved their protocol secure.
Actually, Ian Goldberg, Douglas Stebila, and Berkant Ustaoglu found the vulnerability in Lasse and Paul's protocol [1], improved it, and proved the resulting protocol ntor secure [2]. We improved the efficiency of ntor and proved the resulting protocol Ace secure [3].
- Esfandiar
[1] Lasse Overlier and Paul Syverson. Improving efficiency and simplicity of Tor circuit establishment and hidden services. In Proceedings of the 7th international conference on Privacy enhancing technologies, pages 134 - 152, ACM, 2007.
[2] Ian Goldberg, Douglas Stebila, and Berkant Ustaoglu. Anonymity and one-way authentication in key exchange protocols. In the journal on Designs, Codes and Cryptography, pages 245-269, Springer, 2012.
[3] Michael Backes, Aniket Kate, and Esfandiar Mohammadi. Ace: an efficient key-exchange protocol for onion routing. In Proceedings of the 2012 ACM workshop on Privacy in the electronic society, pages 55 - 64, ACM, 2012.
Thanks Esfandiar. I had to run off for an hour and inadevertently sent my message before I had finished composing it, leaving a munged impression. My intended point was that the whole story has quite a bit to it beyond simply tweaking MQV. As you noted, that story has even more to it than what I stated.
aloha, Paul
On Wed, Nov 20, 2013 at 07:03:37PM +0100, Esfandiar Mohammadi wrote:
Am 20.11.2013 um 18:19 schrieb Paul Syverson paul.syverson@nrl.navy.mil:
These authors found a vulnerability in that protocol, improved on it, and proved their protocol secure.
Actually, Ian Goldberg, Douglas Stebila, and Berkant Ustaoglu found the vulnerability in Lasse and Paul's protocol [1], improved it, and proved the resulting protocol ntor secure [2]. We improved the efficiency of ntor and proved the resulting protocol Ace secure [3].
- Esfandiar
[1] Lasse Overlier and Paul Syverson. Improving efficiency and simplicity of Tor circuit establishment and hidden services. In Proceedings of the 7th international conference on Privacy enhancing technologies, pages 134 - 152, ACM, 2007.
[2] Ian Goldberg, Douglas Stebila, and Berkant Ustaoglu. Anonymity and one-way authentication in key exchange protocols. In the journal on Designs, Codes and Cryptography, pages 245-269, Springer, 2012.
[3] Michael Backes, Aniket Kate, and Esfandiar Mohammadi. Ace: an efficient key-exchange protocol for onion routing. In Proceedings of the 2012 ACM workshop on Privacy in the electronic society, pages 55 - 64, ACM, 2012.
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Wed, Nov 20, 2013 at 11:02 AM, Nick Mathewson nickm@torproject.org wrote:
Hi, all!
Here's
Incidentally, the canonical location for proposals is the torspec repository. Since this email went out, I've applied some fixes to the proposal to fix up some mistakes in it, and more mistakes I made. The latest version is https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/223-ace...