[tor-dev] A concrete proposal for crypto (at least part of it)

Nick Mathewson nickm at alum.mit.edu
Wed Nov 2 17:30:13 UTC 2011


On Wed, Nov 2, 2011 at 12:45 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 2011-11-02, Watson Ladd <watsonbladd at gmail.com> wrote:
>> Dear All,
>> Rather then get further sucked into a debate that is producing more
>> heat then light about Wegman-Carter, I've decided to make a concrete
>> proposal for how Tor can better protect its streams from manipulation.
>
> Your proposal is so detailed and concrete that I'm not even going to
> try to figure out what it means.

I'm going to suggest that we ought to isolate protocol discussions
from primitives discussions here.  The discussion of how to put
together a good relay packet format using a stream cipher and a MAC
(or a stream cipher with an authenticating mode of operation) ought to
be separable from the discussion of which stream
cipher/MAC/authenticating mode we use.

(If it isn't separable -- if the format relies on particular
properties of a given primitive -- that strikes me as a point against
the format.)

[...]
>> Right now Tor encrypts the streams of data from a client to a OR with
>> AES-CTR and no integrity checks.
>
> Bullshit.  We have a 32-bit-per-cell integrity check at the ends of a circuit.

Let's keep this polite, please.  "Not so" is a perfectly fine
alternative to "bullshit," and is likelier to keep future
conversations productive.

cheers,
-- 
Nick


More information about the tor-dev mailing list