[tor-dev] Attentive Otter: Analysis of xmpp-client

Watson Ladd watsonbladd at gmail.com
Wed Oct 9 03:40:30 UTC 2013


On Tue, Oct 8, 2013 at 4:49 PM, Mike Perry <mikeperry at torproject.org> wrote:

> Jurre van Bergen:
> >
> > *OTR*
> > OTR support comes from the Go crypto package:
> > https://code.google.com/p/go.crypto/
> > This library only has support for OTRv2 and not the latest OTRv3
> > specification. If we want to be resistant to several attacks[1]  on the
> > OTR protocol, we need to reimplement the OTR protocol and update it to
> > the latest version or, we use Cgo, which binds into libotr. (Open
> > questions: OTR by default?, )
> >
> > [1]
> >
> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=rep1&type=pdf
>
> According to agl:
> "The DH and DSA code uses Go's math/big library, which isn't constant
> time."
>
> He said these non-constant time Go primitives are used by OTR, and will
> be used by TLS if they are specified by the negotiated cipher suite.
>
The easy fix is to make go.crypto constant time, for at least what we need.

If we are okay with bad performance this doesn't require much trickery for
DH: saturated limb arithmetic modulo
a constant with a precomputed Barrett reduction tables is constant time.

DSA is harder because the modulus is provided as part of the key. I don't
know how to do that in constant time.

>
> So xmpp-client's OTR and TLS support would definitely need to be
> rewritten to call out to a native code implementation or rewritten to
> use new constant time Go primitives, independent of OTRv2 vs OTRv3.


>
> --
> Mike Perry
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
>


-- 
"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20131008/5ac6884f/attachment.html>


More information about the tor-dev mailing list