Speaking of cryptography
Florent Daigniere
nextgens at freenetproject.org
Wed Jan 6 11:18:21 UTC 2010
Roger Dingledine wrote:
> On Tue, Jan 05, 2010 at 11:26:36PM +0100, moris blues wrote:
>> i red about: Speaking of cryptography,
>> check for bad values of g^x, g^y...
>>
>> apparently is a MIM-attack to the DH available.
>> What options are there to protect themselves against.
>
> I assume you're talking about
> http://archives.seul.org/or/announce/Aug-2005/msg00002.htm
>
> You should also read
> http://freehaven.net/anonbib/#tap:pet2006
>
>> It still is the possibility to use the MQV HMQV protocol.
>>
>> My question then is why it is not used.
>> Is it possible to implement the MQV as a substitute for DH?
>
> No idea. Somebody clueful in crypto would have to figure that one out,
> and then convince somebody that's both clueful in crypto and well-known
> in the Tor community to believe it.
>
> Writing it up as a research paper and getting it published would be the
> best approach. Writing it up as a Tor proposal and including a thorough
> security/performance/transition analysis might work too. Identifying
> further problems in the current approach would encourage us to switch
> faster.
>
Hi,
Forget about MQV and HMQV ... they are flawed. Look at FHMQV
(http://eprint.iacr.org/2009/408) or JFK(i|r)
(http://people.csail.mit.edu/canetti/materials/jfk.pdf) instead.
JFKi is what we use in Freenet (http://wiki.freenetproject.org/JFki)...
In tor's case JFKr would probably make more sense though. But again, we
had a different threat model and where trying to protect ourselves from
DoS (memory and CPU). Before that we were using a signed-DH exchange
checking for bad values like tor does at the moment and as far as I know
that is still believed to be secure nowadays.
Florent
PS: They are latter revisions of the JFK paper... but I can't find it in
my bookmarks.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list