[tor-bugs] #4548 [Tor Bridge]: Implement dynamic (rakshasa) primes (part of proposal 179)

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Nov 26 01:12:27 UTC 2011 

#4548: Implement dynamic (rakshasa) primes (part of proposal 179)
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                    
     Type:  defect      |         Status:  needs_review      
 Priority:  normal      |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor Bridge  |        Version:                    
 Keywords:              |         Parent:  #3972             
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by nickm):

 Replying to [comment:12 asn]:
 > Replying to [comment:11 nickm]:
 > > Replying to [comment:10 asn]:
 > > > Replying to [comment:6 nickm]:
 > > > > Remaining issues, in addition to those above, after second review:
 > > > >
 > > > >  * If this new option is going to be on-by-default, then clients
 really shouldn't pay attention to it, since they shouldn't actually need
 to have a group at all.
 > > >
 > > > True. I'm only doing dynamic DH stuff to bridges now.
 > >
 > > Hm. This seems like something all servers should want.  I didn't see
 the part that made this bridges-only; where can I find it?
 > >
 >
 > f477ddcc20d5fc8c130b630854947a337881cd23 "Only bother with dynamic DH
 moduli if we are a bridge."
 > If tor is not a bridge, it generates the static DH prime modulus of
 Apache, like it used to.
 >
 > Assuming that the Apache DH prime modulus is as safe as any other
 randomly generated DH modulus, why would a public relay operator want it?

 Assuming that an adversary isn't distinguishing based on using the apache
 modulus, there is no point in this branch at all as far as I can tell.

 Assuming that an adversary _is_ distinguishing based on the apache
 modulus, it's nice to get anti-fingerprinting features into the main Tor
 protocol.  (This is one reason we did the v3 handshake as part of the main
 Tor protocol, rather than as a special bridge-only thing.  This is also
 the reason we changed _everybody's_ DH parameters to the apache modulus,
 instead of only the bridges.)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4548#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list