[tor-dev] RFC: obfs4 (Name not final)

Michael Rogers michael at briarproject.org
Fri May 23 15:42:09 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 23/05/14 13:16, Philipp Winter wrote:
> - ScrambleSuit's framing mechanism is vulnerable to this attack: 
> <http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf> In a nutshell, the
> receiver needs to decrypt the ScrambleSuit header before it is able
> to verify the HMAC which makes it possible for an attacker to 
> tamper with the length fields.  While there are probably simpler
> attacks, it would be nice to have a fix for this problem.

In the next version of the Briar transport protocol we're addressing
that problem by dividing each frame into two parts. The first part is
a fixed-length header, the second is a variable-length body. Each part
is separately encrypted and MACed. The header contains the length of
the body.

This requires two MACs per frame, but I prefer that to the
alternatives: using fixed-length frames, or using the decrypted length
field before checking whether it's been tampered with.

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTf2xRAAoJEBEET9GfxSfMdPIH/0YQ+9d0HBl2Nj4imSKwe6tz
6OWKqgL5Vqd/Qvq7/vSwtHVY+yY/+C1dmHGLFAO+6W12OHUNdcylcavT/425SrVx
GEcvCMhAKzAu/QUI/b8vMMCPvjwfMgN35SONGEPfuhBAZm3+4oF8GiKs/o6+7nrk
XCmvYZ8btupoVNPdNUhktjkFK3KhW4iYpiyYJzqtJ8/ip+5EABHdj7ATV6QJU02S
7UnXrUEnT5XBbi3jcod7MaN5YF/xtdXKzfYE2uoiJyi5KK2zHTorC4J6STe98kKR
ygnipgWv+kut5izHwrDfoig+yGEFfui0CYMTyJZGtGcdk1VhUnhiFs8nndDWBtk=
=jite
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list