[tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor

Watson Ladd watsonbladd at gmail.com
Wed Mar 5 01:07:17 UTC 2014


On Tue, Mar 4, 2014 at 7:05 AM, Nick Mathewson <nickm at alum.mit.edu> wrote:
> On Mon, Mar 3, 2014 at 10:37 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
>
>> How about 6: Tor server to server connections should use
>> ECDHE+ChaCha20 or GCM_AES ciphersuites only?
>> This closes the UKS hole that enabled this attack to happen, and
>> probably is a good idea anyway.
>
>
> To make sure I understand, it's the ECDHE that's the defense here:
> unlike DHE, ECDHE implementations don't let the attacker pick an
> arbitrary set of parameters which might not define a real group, and
> so if ECDHE is used, the attacker can't force two connections to share
> the same keys.

That's exactly correct.

>
> I guess this is another "defense in depth" item: as of Tor 0.2.4.x*,
> the preferred ciphersuites are all ECDHE ones.  But that isn't quite
> good enough, since non-ECDHE ciphersuites are still supported, so an
> attacker can simply pretend not to support them when talking to the
> client and the server.
>
> It would be helpful to know what fraction of 0.2.4.x servers support
> ECDHE ciphersuites today. That would let us figure out what obstacles
> there might be to dropping non-ECDHE ciphersuites in the future.
>
>
> * Assuming you're built with a good enough version of OpenSSL that
> doesn't have ECC turned off.
>
> best wishes,
> --
> Nick
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin


More information about the tor-dev mailing list