[tor-dev] N reasons why the spooks love Tribler (Number N' will surprise you)

Nick Mathewson nickm at alum.mit.edu
Sat Dec 20 19:09:44 UTC 2014


On Sat, Dec 20, 2014 at 4:56 AM, Yawning Angel <yawning at schwanenlied.me> wrote:
 [...]
>  * How not to do Diffie-Hellman:
>
>    key = pow(dh_received, dh_secret, DIFFIE_HELLMAN_MODULUS)
>
>    This is relatively minor since recovering the secret key is trivial
>    via PRNG attacks, so the fact that the modular exponentiation is not
>    constant time matters less.

Additionally, I don't believe their code checks that the dh_secret
value is actually in [2..(p-1)], which enables an attack if the node
receiving an EXTEND cell replaces enc(g^x) and g^y with enc(1), 1
respectively.  This makes the circuit crypto more or less pointless.

And I think that the CREATE cell handler's code's implementation of
the (deprecated) TAP protocol is vulnerable to the timing attack
discussed in Goldberg's "On the Security of the Tor Authentication
Protocol".

> Recommendations:
>
>  * For users, "don't".  Cursory analysis found enough fundamental
>    flaws, and secure protocol design/implementation errors that I would
>    be reluctant to consider this secure, even if the known issues were
>    fixed.  It may be worth revisiting in several years when the
>    designers obtain more experience, and a thorough third party audit
>    of the improved code and design has been done.

Yeah.  To be clear, if you had reviewed Tor in 2004, you would have
found a lot of horrible mistakes too. Software gets better, and
programmers get better.

This one has a long way to go, but if they keep at it, it will
eventually get there.

(Honestly, I find that the best way to put this kinds of mistakes into
context is to put a huge disclaimer on the front of all new software,
so that people will know not to use it until it's had a lot of
attention.)

-- 
Nick


More information about the tor-dev mailing list