[tor-dev] basket: More eggs in the Guard basket.

Nick Mathewson nickm at alum.mit.edu
Wed Dec 17 18:51:02 UTC 2014


On Tue, Dec 16, 2014 at 9:53 AM, Yawning Angel <yawning at schwanenlied.me> wrote:
> Hi all,
>
> For several reasons I've been working on a bit of code that I named
> "basket".  It's almost at the point where the brave members of the
> general public should be aware that it exists as a potential option in
> the privacy toolbox, though using it in any capacity beyond testing on
> a loopback device IS CURRENTLY ACTIVELY DISCOURAGED unless users are
> comfortable debugging it (This means, DO NOT USE IT.  I will likely
> break backward compatibility in the future, and you will be sad.).
>
> "basket" is my stab at designing something that significantly increases
> Tor's resistance to upcoming/future attacks, by providing a link layer
> cryptographic handshake that uses post-quantum cryptographic primitives
> and defenses against website fingerprinting (and possibly e2e
> correlation) attacks.
>
> For the ease of development it is in the form of a pluggable transport
> with the expected tradeoffs (you must absolutely trust your Bridge,
> since both features only run to the Bridge).  It is worth noting that
> it is anything but subtle, and it is blatantly obvious that a given
> connection is speaking "basket" as no attempt was made to obfuscate the
> handshake.
>
> The link layer handshake works roughly like thus:
>  Setup:
>   * Bob generates a long term SPHINCS256 keypair s,S used to sign
>     responses.
>
>  The handshake:
>   1. Alice generates a Curve25519 keypair x,X and a NTRUEncrypt
>      EES1171EP1 keypair n,N.
>   2. Alice sends X | N to Bob.
>   3. Bob generates a Curve25519 keypair y,Y, and calculates
>      Curve25519(y,X) as the shared secret.
>   4. Bob sends NTRUEncrypt(N,Y) | S | SPHINCS256(s, ntru_ciphertext |
>      S) to Alice.
>   5. Alice verifies the SPHINCS256 signature (Alice's copy of S is
>      saved/trusted in a Trust-On-First-Use manner), and decrypts the
>      NTRU ciphertext to obtain Y.
>   6. Alice calculates Curve25519(x,Y) as the shared secret.
>
>   NB: Some details omitted for brevity.

Should the handshake also a signature by Bob of (X|N), and should
maybe the shared secret also include a digest of all the other parts
of the communication?

-- 
Nick


More information about the tor-dev mailing list