Summer 2013 Tor Developer Meeting, Day 2 Session 1: crypto discussion with Tanja

Author: isis <isis@…> Date: 2013-07-23 Tue

Table of Contents

- tor's current crypto

1.1. problematic protocols

1.1.1. TLS 1.1.2. SHA1 1.1.3. RSA 1024 for .onion 1.1.4. AES-CTR-SHA1-32

1.2. keys which routers currently have

1.2.1. identity key 1.2.2. onion-tap key 1.2.3. onion-ntor key 1.2.4. TLS_LINK AUTH key

- other things to look into

2.1. HHFHFH 2.2. @TweetNaCL 2.3. dual elliptic curve RNG 2.4. speed considerations 2.5. elligator

- tor's current crypto 1.1 problematic protocols

1.1.1. TLS

1.1.2. SHA1

1.1.3. RSA 1024 for .onion

- upgrading keysize is trivial in some places, hard in others
- only used for identity keys, hence only for authentication

1.1.4. AES-CTR-SHA1-32

- 32 because the hash is truncated
- counter mode is needed for the HMAC, Could be replaced with ecdies = elgamal + dh. This would allow signing and diffie-hellman between nodes, and therefore cross-certification between nodes
- nothing currently signs the identity keys, but the identity keys sign a bunch of other things
- If you demand an identity key from a node, and the identity key signs the TLS session key, then if the attacker discovers the guard node for a hidden service, you could mitm the TLS session. mike mentions that you could then do "funny things with the circuit".

1.2. keys which routers currently have

1.2.1. identity key

RSA 1024

1.2.2. onion-tap key

RSA 1024

- used for the circuit ext. proto

1.2.3. onion-ntor key

Curve 25519

- newer protocol for circuit extension
- Should we do mixed circuits between the old TAP protocol + NTOR, or should we allow clients to only use NTOR protocol if a full circuit can be constructed with NTOR's Curve25519 keys?

1.2.4. TLS_LINK AUTH key

RSA 1024

- other things to look into
2.1. HHFHFH
- noncryptographic hash function
- fast block cipher
- AUTH_SIGN RSA 1024
- AUTHID RSA 3072

- optimized NaCL library in 100 tweets of compilable C

- andrea mentions as a creepy backdoored RNG if you google search for this term set.

- Salsa-20 compatibility

~~Montgomery notation~~gives just the x-coordinate of an ECC point for DH handshake, appears random. Tanja: method to map any integer in [0,(p-1)/2] to an EC point; map is invertible and for p close to a power of 2 (p ~ 2^{b}) set [0,(p-1)/2] is indistinguishable from [0,2^{b-1}]. For details see http://eprint.iacr.org/2013/325 A construction compatible with Curve25519 will come soon.