[tor-dev] N reasons why the spooks love Tribler (Number N' will surprise you)
Nick Mathewson
nickm at alum.mit.edu
Sat Dec 20 19:09:44 UTC 2014
On Sat, Dec 20, 2014 at 4:56 AM, Yawning Angel <yawning at schwanenlied.me> wrote:
[...]
> * How not to do Diffie-Hellman:
>
> key = pow(dh_received, dh_secret, DIFFIE_HELLMAN_MODULUS)
>
> This is relatively minor since recovering the secret key is trivial
> via PRNG attacks, so the fact that the modular exponentiation is not
> constant time matters less.
Additionally, I don't believe their code checks that the dh_secret
value is actually in [2..(p-1)], which enables an attack if the node
receiving an EXTEND cell replaces enc(g^x) and g^y with enc(1), 1
respectively. This makes the circuit crypto more or less pointless.
And I think that the CREATE cell handler's code's implementation of
the (deprecated) TAP protocol is vulnerable to the timing attack
discussed in Goldberg's "On the Security of the Tor Authentication
Protocol".
> Recommendations:
>
> * For users, "don't". Cursory analysis found enough fundamental
> flaws, and secure protocol design/implementation errors that I would
> be reluctant to consider this secure, even if the known issues were
> fixed. It may be worth revisiting in several years when the
> designers obtain more experience, and a thorough third party audit
> of the improved code and design has been done.
Yeah. To be clear, if you had reviewed Tor in 2004, you would have
found a lot of horrible mistakes too. Software gets better, and
programmers get better.
This one has a long way to go, but if they keep at it, it will
eventually get there.
(Honestly, I find that the best way to put this kinds of mistakes into
context is to put a huge disclaimer on the front of all new software,
so that people will know not to use it until it's had a lot of
attention.)
--
Nick
More information about the tor-dev
mailing list