[tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
Nick Mathewson
nickm at alum.mit.edu
Tue Mar 4 15:05:52 UTC 2014
On Mon, Mar 3, 2014 at 10:37 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
> How about 6: Tor server to server connections should use
> ECDHE+ChaCha20 or GCM_AES ciphersuites only?
> This closes the UKS hole that enabled this attack to happen, and
> probably is a good idea anyway.
To make sure I understand, it's the ECDHE that's the defense here:
unlike DHE, ECDHE implementations don't let the attacker pick an
arbitrary set of parameters which might not define a real group, and
so if ECDHE is used, the attacker can't force two connections to share
the same keys.
I guess this is another "defense in depth" item: as of Tor 0.2.4.x*,
the preferred ciphersuites are all ECDHE ones. But that isn't quite
good enough, since non-ECDHE ciphersuites are still supported, so an
attacker can simply pretend not to support them when talking to the
client and the server.
It would be helpful to know what fraction of 0.2.4.x servers support
ECDHE ciphersuites today. That would let us figure out what obstacles
there might be to dropping non-ECDHE ciphersuites in the future.
* Assuming you're built with a good enough version of OpenSSL that
doesn't have ECC turned off.
best wishes,
--
Nick
More information about the tor-dev
mailing list