[tor-bugs] #9719 [Tor]: Reuse Y in ntor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Sep 12 01:47:00 UTC 2013
#9719: Reuse Y in ntor
-------------------------+---------------------
Reporter: rransom | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: | Actual Points:
Parent ID: #9662 | Points:
-------------------------+---------------------
`Y` serves two purposes in ntor: it provides forward secrecy, and it
provides freshness (i.e. it ensures that the resulting session key will
never be used for more than one session).
Forward secrecy only requires that `y` be reasonably short-lived.
Changing it every 5 minutes is more than adequate.
Freshness could have been obtained by sending a server-provided nonce in
the handshake, and including that nonce in every hash performed by ntor
(and thus in the resulting key). Unfortunately, Tor's current ntor
protocol doesn't allow for a nonce.
The best that can be done without a protocol change is:
* store `(y, Y)` on a per-thread basis;
* generate a secret SipHash key `k` along with each `(y, Y)`;
* keep a per-thread 2^14^-bit replay-detection Bloom filter of the `bX`
values computed during the server handshake, using SipHash as the hash and
`k` as the key;
* if the Bloom filter cannot prove that `bX` computed during a handshake
is new, generate a new `(y, Y)` and `k`, and clear the Bloom filter.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9719>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list