[tor-dev] Proposal: Link Cryptographic Agility
isis at torproject.org
Mon Nov 16 21:58:41 UTC 2015
I'm generally in favour of merging this, but I'll wait a couple days to see if
anyone has any feedback. Particularly, I'd like to hear if Nick has any
Some brief comments/questions inline:
Yawning Angel transcribed 5.7K bytes:
> There's been talk of moving to a wide block construct for cell crypto
> (#5460), and for adding PQ Forward Secrecy to traffic (#17272). To
> facilitate this, there needs to be a method for negotiating which
> primitives a given relay supports.
> To that end, here's the begining of a proposal (tentatively #260) that
> adds a `CIPHERSUITES` cell to the version negotiation process which
> allows relays to advertise the link cryptography primitives that they
> are willing to accept.
> * Should the new cell be variable length? Our development cycle and
> how often we switch handshakes/link crypto tells me "No", the
> existing "VERSIONS" cell format tells me "Yes".
Given that we switch handshakes once in a blue moon, and generally try to
deprecate the old protocol ASAP, it might be better to go with a fixed length?
> * We need to revise prop. 249 to add a cell crypto method specifier to
So that the client can coerce some choice of link cryptographic primitives for
the entire circuit? Without advertisements of the supported primitives
included somewhere in the relay descriptors (as you mentioned, below), won't
this result in (at least for a while, and then again for a while each time a
new primitive is introduced) increased circuit build failures?
> * Proposal 249 does not cover changing RELAY_EARLY behavior, which
> will potentially cause problems (Eg: Ring-LWE + ntor will require
> between 5 to 9 fragments depending on the exact primitives).
What new behaviour do we need from RELAY_EARLY? If I understood prop#249
correctly, RELAY_EARLY should work as before (in particular with 8-9 total
RELAY_EARLYs allowed per circuit construction), but that (potentially
multipartite) EXTEND2(s) within RELAY_EARLY(s) should contain variable length
authentication data. Are you just concerned that we'll go over the 8-9 cell
limit and open ourselves back up to infinite circuit attacks? Or am I missing
> * The actual hybrid construct is deliberately left unspecified.
> * With runtime negotiation of primitives on a per-circuit basis, we
> introduce the possibility of downgrade attacks. We do calculate
> the SHA256 digest of VERSIONS/CERTS/AUTH_CHALLENGE cells (which
> will become VERSIONS/CIPHERSUITES/CERTS/AUTH_CHALLENGE), so we could
> do something like:
> auth_input = verify | ID | B | Y | X | SLOG | PROTOID | "Server"
> Where SLOG is the digest without too much difficulty...
This would require backwards-incompatible changes to the AUTHENTICATE cells
currently in use by the ntor handshake, right? Are we prepared to wait three
releases for the new changes to be available ubiquitously, or do we have some
sooner timeline in mind for a PQ handshake?
♥Ⓐ isis agora lovecruft
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1240 bytes
Desc: Digital signature
More information about the tor-dev