[tor-dev] Improved circuit-setup protocol [was: Re: Designing and implementing improved circuit-setup protocol [was: GSoC 2011]]
Ian Goldberg
iang at cs.uwaterloo.ca
Thu Apr 7 22:04:15 UTC 2011
On Thu, Apr 07, 2011 at 05:18:12PM -0400, Nick Mathewson wrote:
> 8) This is totally back-of-the-envelope stuff, but it might be a good
> starting point for crypto discussion.
>
> Here's a first cut of what I think might go in an improved RSA handshake:
>
> * First 8 bytes of the SHA256 hash of the onion key [8 bytes]
> (This is here so that onion key rotation can work without having
> to sometimes try the wrong onion key incorrectly.)
> * PK-encrypted:
> * Padding [PK_PAD_LEN bytes]
> * SHA256 hash of all remaining fields. [32 bytes]
> * Symmetric key seed [16 bytes]
> * The first part of g^x. [as much will fit in the PK-encrypted portion]
> * Symmetrically encrypted:
> * The rest of g^x.
> * 0 bytes for padding.
>
> Here's a first cut of what I think might go in a hypothetical
> diffie-hellman based handshake, for use with something like
> Curve25519. (I'm using g^x and g^y notation here as if this were
> diffie-hellman in Z_p, since I don't yet trust myself to write ECC
> stuff correctly. I'm assuming that the node's public onion key is
> g^x.)
>
> * SHA256 of all remaining fields. [32 bytes]
> * First 8 bytes of the SHA256 hash of the onion key (8 bytes)
> * g^y1 [DH_LEN bytes]
> * Encrypted using a symmetric key based on g^(x*y1):
> * g^y2 [DH_LEN bytes]
> * 0 bytes for padding
The phrase that jumps to mind is, "Danger Will Robinson!". ;-) If
we're redesigning the AKE (authenticated key agreement) bits, we
probably shouldn't just make up our own stuff.
- Ian
More information about the tor-dev
mailing list