[tor-bugs] #5460 [Tor Client]: Write proposal(s) to evaluate circuit crypto authentication
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed May 23 00:42:34 UTC 2012
#5460: Write proposal(s) to evaluate circuit crypto authentication
------------------------+---------------------------------------------------
Reporter: mikeperry | Owner: nickm
Type: defect | Status: assigned
Priority: major | Milestone: Tor: 0.2.4.x-final
Component: Tor Client | Version:
Keywords: | Parent: #5456
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm):
Replying to [comment:5 arma]:
> Replying to [comment:1 rransom]:
> > BEAR/LION/LIONESS are not ‘self-authenticating crypto’. They are
large-block block ciphers which ensure that any change to a block's data
on one side of an honest relay completely scrambles the block's data on
the other side. They would need to be accompanied by an end-to-end MAC.
>
> Even if accompanied by an end-to-end mac, isn't that insufficient? If I
can mangle a cell, and detect mangling, and it still gets to the other
end, that sounds like a tagging attack to me. It's not as fine-grained a
tagging attack sure, but if the goal is "cause circuit failure at the 2nd
hop, not the third" then it's not going to do it, right?
"It Depends". The biggest problem with the current tagging attack is that
a successfully tagged circuit (one where the attacker observes the tag) is
recoverable by the attacker. Either a whole-cell encryption approach or a
per-hop MAC approach would solve *that*. (As for the "it's still a tag"
argument... it's not clear that "the whole circuit gets destroyed away
suddenly" is much worse as a tag than "the whole circuit turns to junk
suddenly.)
I wrote a draft draft draft today, and I'm showing it to as some naive-
about-tor/smart-about-crypto people to try to make sure it's readable.
I'll give it another editing pass after that, assign it a proposal number,
and call this ticket closed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5460#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list