Summer 2013 Tor Developer Meeting, Day 2 Session 1: crypto discussion with Tanja
Author: isis
Date: 2013-07-23 Tue
Table of Contents
-----------------
1. tor's current crypto
1.1. problematic protocols
1.1.1. TLS
1.1.2. SHA1
1.1.3. RSA 1024 for .onion
1.1.4. AES-CTR-SHA1-32
1.2. keys which routers currently have
1.2.1. identity key
1.2.2. onion-tap key
1.2.3. onion-ntor key
1.2.4. TLS_LINK AUTH key
2. other things to look into
2.1. HHFHFH
2.2. @TweetNaCL
2.3. dual elliptic curve RNG
2.4. speed considerations
2.5. elligator
1. tor's current crypto
1.1 problematic protocols
1.1.1. TLS
1.1.2. SHA1
1.1.3. RSA 1024 for .onion
- upgrading keysize is trivial in some places, hard in others
- only used for identity keys, hence only for authentication
1.1.4. AES-CTR-SHA1-32
- 32 because the hash is truncated
- counter mode is needed for the HMAC, Could be replaced with ecdies = elgamal + dh. This would allow signing and diffie-hellman between nodes, and therefore cross-certification between nodes
- nothing currently signs the identity keys, but the identity keys sign a bunch of other things
- If you demand an identity key from a node, and the identity key signs the TLS session key, then if the attacker discovers the guard node for a hidden service, you could mitm the TLS session. mike mentions that you could then do "funny things with the circuit".
1.2. keys which routers currently have
1.2.1. identity key
**RSA 1024**
1.2.2. onion-tap key
**RSA 1024**
- used for the circuit ext. proto
1.2.3. onion-ntor key
**Curve 25519**
- newer protocol for circuit extension
- Should we do mixed circuits between the old TAP protocol + NTOR, or should we allow clients to only use NTOR protocol if a full circuit can be constructed with NTOR's Curve25519 keys?
1.2.4. TLS_LINK AUTH key
**RSA 1024**
2. other things to look into
2.1. HHFHFH
- noncryptographic hash function
- fast block cipher
- AUTH_SIGN RSA 1024
- AUTHID RSA 3072
2.2. @TweetNaCL
- optimized NaCL library in 100 tweets of compilable C
2.3. dual elliptic curve RNG
- andrea mentions as a creepy backdoored RNG if you google search for this term set.
2.4. speed considerations
- Salsa-20 compatibility
2.5. elligator
- ~~Montgomery notation~~ gives just the x-coordinate of an ECC point for DH handshake, appears random.
Tanja: method to map any integer in [0,(p-1)/2] to an EC point; map is invertible and for p close to
a power of 2 (p ~ 2^b^) set [0,(p-1)/2] is indistinguishable from [0,2^b-1^]. For details see
http://eprint.iacr.org/2013/325 A construction compatible with Curve25519 will come soon.