Opened 6 years ago

Closed 4 years ago

Last modified 3 years ago

#9719 closed enhancement (wontfix)

Reuse Y in ntor

Reported by: rransom Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version: Tor: 0.2.7
Severity: Normal Keywords: tor-relay, performance, ntor, 027-triaged-1-in
Cc: Actual Points:
Parent ID: #9662 Points: medium
Reviewer: Sponsor:

Description

Y serves two purposes in ntor: it provides forward secrecy, and it provides freshness (i.e. it ensures that the resulting session key will never be used for more than one session).

Forward secrecy only requires that y be reasonably short-lived. Changing it every 5 minutes is more than adequate.

Freshness could have been obtained by sending a server-provided nonce in the handshake, and including that nonce in every hash performed by ntor (and thus in the resulting key). Unfortunately, Tor's current ntor protocol doesn't allow for a nonce.

The best that can be done without a protocol change is:

  • store (y, Y) on a per-thread basis;
  • generate a secret SipHash key k along with each (y, Y);
  • keep a per-thread 214-bit replay-detection Bloom filter of the bX values computed during the server handshake, using SipHash as the hash and k as the key;
  • if the Bloom filter cannot prove that bX computed during a handshake is new, generate a new (y, Y) and k, and clear the Bloom filter.

Child Tickets

Change History (16)

comment:1 in reply to:  description Changed 6 years ago by rransom

Replying to rransom:

  • keep a per-thread 214-bit replay-detection Bloom filter of the bX values computed during the server handshake, using SipHash as the hash and k as the key;

I forgot that you're including X in the ntor hashes, not just the shared secrets. (ntor remains secure if B, X, and Y are omitted from the hashes; it essentially uses HDH with B to authenticate Y, and HDH with Y for forward secrecy, but without a second layer of hashing.) In that case, performing replay detection using X is sufficient.

comment:2 Changed 6 years ago by nickm

Keywords: tor-relay performance ntor added
Milestone: Tor: 0.2.6.x-final

comment:3 Changed 6 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: 0.2.???

comment:4 Changed 5 years ago by nickm

Milestone: Tor: 0.2.???Tor: 0.2.7.x-final

These may be worth looking at for 0.2.7.

comment:5 Changed 5 years ago by nickm

Status: newassigned

comment:6 Changed 5 years ago by nickm

Keywords: 027-triaged-1-in added

Marking some tickets as triaged-in for 0.2.7 based on early triage

comment:7 Changed 5 years ago by isabela

Keywords: SponsorU added
Points: medium
Version: Tor: 0.2.7

comment:8 Changed 4 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.8.x-final

comment:9 Changed 4 years ago by nickm

Keywords: SponsorU removed
Sponsor: SponsorU

Bulk-replace SponsorU keyword with SponsorU field.

comment:10 Changed 4 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.???

It is impossible that we will fix all 252 currently open 028 tickets before 028 releases. Time to move some out. This is my first pass through the "assigned" tickets with no owner, looking for things to move to ???.

If somebody thinks they can get these done before the 0.2.8 timeout, please assign it to yourself and move it back?

comment:11 Changed 4 years ago by isabela

Sponsor: SponsorUSponsorU-can

comment:12 Changed 4 years ago by yawning

Severity: Normal

This feels relatively minor to me now, though it won't be hard to do. On an i7-5600U, this will cut out 20 usec or so per handshake for the fast path. There's probably other optimizations that can be made that are more impactful (Like pulling in CPU specific X25519 implementations).

comment:13 Changed 4 years ago by nickm

Sponsor: SponsorU-can

comment:14 Changed 4 years ago by yawning

Resolution: wontfix
Status: assignedclosed

Neat-ish idea, but doesn't really cut out enough processing to be a huge win. Closing per discussion with nickm.

comment:15 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:16 Changed 3 years ago by nickm

Milestone: Tor: 0.3.???

Milestone deleted

Note: See TracTickets for help on using tickets.