[tor-dev] obfsproxy buffering

Ian Goldberg iang at cs.uwaterloo.ca
Mon Nov 18 13:04:46 UTC 2013

On Sun, Nov 17, 2013 at 07:33:12PM -0800, David Stainton wrote:
> Hi,
> I noticed that because the obfsproxy api can sometimes buffer and
> resend smaller chunks of data. My simple use of Nacl stream_crypto to
> wrap each incoming data buffers will not work... that is because the
> client and server must keep synchronized nonce counters for the
> decrypt/encrypt to work... and in this case the client may send one
> large buffer and the server may receive many smaller buffers... trying
> to decrypt them with different nonces will of course fail.
> https://github.com/david415/obfsproxy/tree/david-nacl-stream-withoutkeyexchange
> It seems like the solution is to write a super simple "framing
> protocol"... which is to say that I can first send a frame length; and
> on the receiving end simply read until frame length worth of data is
> consumed... and then apply the crypto_stream cipher on that frame with
> the correct corresponding nonce.

Super-simple framing protocols often fall victim to attacks in which the
adversary messes with the length in the frame header.  See, for example,
"Plaintext Recovery Attacks Against SSH":

So be careful here.

   - Ian

More information about the tor-dev mailing list