[tor-dev] obfs4 questions

Michael Rogers michael at briarproject.org
Fri Nov 28 13:08:04 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

In the obfs4 spec I couldn't find a description of how the secretbox
nonces for the frames are constructed. A 16-byte nonce prefix comes
from the KDF, but what about the remaining 8 (presumably
frame-specific) bytes?

If an attacker changes the order of the secretboxes so that the
recipient tries to open a secretbox with the wrong nonce, is that
guaranteed to fail, as it would if the secretbox had been modified? I
can make a hand-wavy argument for why I think it will fail, but I
don't know whether the secretbox construct is designed to ensure this.

Any particular reason for using two different MACs (HMAC-SHA256-128
for the handshake, Poly1305 for the frames) and two different hashes
(SHA-256 for the handshake, SipHash-2-4 for obfuscation)?

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUeHO0AAoJEBEET9GfxSfMcPEH/iEYxlXtceeG3/wzp97oW/He
lPNqqowyXczlyJO0SDG8L96hG6RYQZb7M0t8KJsYJapAznioZi2/qRQEC2/VFXg1
1EN//Bd9iO7QUXaIo1djC97Qoq3qmR/GY50xKYIjxr/gZSLk2dAAtleFUuerBrl9
nLrTr7kSKk3xzY0GFYtYKbj3bvuGusGrFioAIgfnKtF8iAlSjEIo8uE2Y1RFVu2d
Q9GOake1VjC5V7Ue/MDCpWagwebPhnDHXSCWSXhvrYT5rmkjrkR2nhl2hAIq/0pA
sfjsGquMrT5fdXcRrQaxHsamCt1228/ZlEAkCep/PRpS0NgLDJlRtPe49RD44Gk=
=OHtY
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list