[tor-bugs] #22948 [Core Tor/Tor]: Padding, Keepalive and Drop cells should have random payloads

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 18 00:17:18 UTC 2017


#22948: Padding, Keepalive and Drop cells should have random payloads
--------------------------------------+------------------------------------
 Reporter:  teor                      |          Owner:
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor              |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tor-spec, security-maybe  |  Actual Points:
Parent ID:  #18856                    |         Points:  0.5
 Reviewer:                            |        Sponsor:
--------------------------------------+------------------------------------

Comment (by cypherpunks):

 Replying to [comment:4 teor]:
 > Then this is probably ok in 0.3.1.
 >
 > Is there any reason for padding cells to have random payloads?
 > Does it make it harder for adversaries to decrypt them?
 > (If so, should we fill every cell with random data rather than zeroes?
 > Or does that make it harder to add extra fields to cells?)
 >
 > On the other hand, are we worried that implementations with low quality
 PRNGs will leak state by doing this?
 >
 > I suggest we update the spec to say that padding cells should be filled
 with zero bytes, just like other cells, unless there is some compelling
 reason to use random bytes.
 This is not something to decide, permanently, in a rush.

 Intuitively, thinking about what (very far future attacks) could happen,
 rather than what is known to already be possible, random or at least
 pseudo-random data seems better. And there are simple ways of generating
 pseudorandom data that is at least better against imaginable future
 cryptanalysis than all zeroes, which consume very little entropy, like
 repeated hashing, or (perhaps potentially less good) a stream cipher with
 a random key, etc.

 (Why potentially less good? Arguably it is consistent with $agency's
 agenda to allow 'hash functions' to be developed and adopted that have the
 best security properties possible, but the same may not be true of
 'ciphers'.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22948#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list