[tor-dev] basket: More eggs in the Guard basket.
nickm at alum.mit.edu
Wed Dec 17 18:51:02 UTC 2014
On Tue, Dec 16, 2014 at 9:53 AM, Yawning Angel <yawning at schwanenlied.me> wrote:
> Hi all,
> For several reasons I've been working on a bit of code that I named
> "basket". It's almost at the point where the brave members of the
> general public should be aware that it exists as a potential option in
> the privacy toolbox, though using it in any capacity beyond testing on
> a loopback device IS CURRENTLY ACTIVELY DISCOURAGED unless users are
> comfortable debugging it (This means, DO NOT USE IT. I will likely
> break backward compatibility in the future, and you will be sad.).
> "basket" is my stab at designing something that significantly increases
> Tor's resistance to upcoming/future attacks, by providing a link layer
> cryptographic handshake that uses post-quantum cryptographic primitives
> and defenses against website fingerprinting (and possibly e2e
> correlation) attacks.
> For the ease of development it is in the form of a pluggable transport
> with the expected tradeoffs (you must absolutely trust your Bridge,
> since both features only run to the Bridge). It is worth noting that
> it is anything but subtle, and it is blatantly obvious that a given
> connection is speaking "basket" as no attempt was made to obfuscate the
> The link layer handshake works roughly like thus:
> * Bob generates a long term SPHINCS256 keypair s,S used to sign
> The handshake:
> 1. Alice generates a Curve25519 keypair x,X and a NTRUEncrypt
> EES1171EP1 keypair n,N.
> 2. Alice sends X | N to Bob.
> 3. Bob generates a Curve25519 keypair y,Y, and calculates
> Curve25519(y,X) as the shared secret.
> 4. Bob sends NTRUEncrypt(N,Y) | S | SPHINCS256(s, ntru_ciphertext |
> S) to Alice.
> 5. Alice verifies the SPHINCS256 signature (Alice's copy of S is
> saved/trusted in a Trust-On-First-Use manner), and decrypts the
> NTRU ciphertext to obtain Y.
> 6. Alice calculates Curve25519(x,Y) as the shared secret.
> NB: Some details omitted for brevity.
Should the handshake also a signature by Bob of (X|N), and should
maybe the shared secret also include a digest of all the other parts
of the communication?
More information about the tor-dev