[tor-dev] Attentive Otter: Analysis of xmpp-client
watsonbladd at gmail.com
Wed Oct 9 03:40:30 UTC 2013
On Tue, Oct 8, 2013 at 4:49 PM, Mike Perry <mikeperry at torproject.org> wrote:
> Jurre van Bergen:
> > *OTR*
> > OTR support comes from the Go crypto package:
> > https://code.google.com/p/go.crypto/
> > This library only has support for OTRv2 and not the latest OTRv3
> > specification. If we want to be resistant to several attacks on the
> > OTR protocol, we need to reimplement the OTR protocol and update it to
> > the latest version or, we use Cgo, which binds into libotr. (Open
> > questions: OTR by default?, )
> > 
> According to agl:
> "The DH and DSA code uses Go's math/big library, which isn't constant
> He said these non-constant time Go primitives are used by OTR, and will
> be used by TLS if they are specified by the negotiated cipher suite.
The easy fix is to make go.crypto constant time, for at least what we need.
If we are okay with bad performance this doesn't require much trickery for
DH: saturated limb arithmetic modulo
a constant with a precomputed Barrett reduction tables is constant time.
DSA is harder because the modulus is provided as part of the key. I don't
know how to do that in constant time.
> So xmpp-client's OTR and TLS support would definitely need to be
> rewritten to call out to a native code implementation or rewritten to
> use new constant time Go primitives, independent of OTRv2 vs OTRv3.
> Mike Perry
> tor-dev mailing list
> tor-dev at lists.torproject.org
"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-dev