[tor-bugs] #18221 [Tor]: Validate our DH parameters to prevent socat-type fails.

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 4 15:08:27 UTC 2016

#18221: Validate our DH parameters to prevent socat-type fails.
 Reporter:  yawning          |          Owner:
     Type:  enhancement      |         Status:  needs_review
 Priority:  Medium           |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor              |        Version:  Tor: unspecified
 Severity:  Normal           |     Resolution:
 Keywords:  tor-core crypto  |  Actual Points:
Parent ID:                   |         Points:
  Sponsor:                   |

Comment (by yawning):

 Replying to [comment:8 bugzilla]:
 > If an adversary could make a fallback in TLS session, then it'd be
 seamless for the user.

 That requires breaking TLS, or the relay being malicious.  In both cases,
 you lose regardless of what cipher suite you're using.

 > > Use P-256
 > It's not so good as it seems. 256-bit PK is theoretically strong as
 128-bit AES key, but 112-bit can be broken, and the same for 128-bit in
 the near future. And what's then? Urgently disable P-256 fallback from


 If anything I'd move to X448 over P-384, but there's not much point when
 ntor is X25519 based, and relay identities are signed with Ed25519.

 Assuming you aren't doing anything clever with batch attacks (which aren't
 applicable to properly implemented P-256, X25519, or X448), public key
 cryptography with 112/128 bit security levels require a quantum computer
 to break.

 It's also worth nothing that to get a 128 bit security level with classic
 DH, you need a group that is at least 3248 bits, which would have
 catastrophic performance implications.

 Anyway, this is orthogonal to the ticket.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18221#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list