Cryptographic directions in Tor Nick Mathewson nickm@torproject.org - - PowerPoint PPT Presentation

cryptographic directions in tor
SMART_READER_LITE
LIVE PREVIEW

Cryptographic directions in Tor Nick Mathewson nickm@torproject.org - - PowerPoint PPT Presentation

Jan 15, 2024 21 likes •191 views

Cryptographic directions in Tor Nick Mathewson nickm@torproject.org 6 Jan 2016 Outline W h e r e w e s t a r t e d Where we are Where we're going maybe. Let's oversimplify Tor, in 1 slide. L2 L3 Alice Alice K2 R2 L1 L1

slide-1
SLIDE 1

Cryptographic directions in Tor

Nick Mathewson nickm@torproject.org 6 Jan 2016

slide-2
SLIDE 2

Outline

  • Where we started
  • Where we are
  • Where we're going – maybe.
slide-3
SLIDE 3

Let's oversimplify Tor, in 1 slide.

Alice Bob R2 Alice R1 R3

L1 K1 K2 K3 L1 L2 K1 L2 L3 K2 L3 K3 L1 K1 K2 K3

slide-4
SLIDE 4

We chose some reasonable-looking crypto in 2004...

  • Relay encryption: AES-CTR + Truncated SHA1

– End-to-end only

  • Key negotiation: “TAP”.

– (RSA1024 + DH1024 + AES-CTR)

  • Links: TLS1.0

– With DH1024, RSA1024, AES-CBC, SHA1.

slide-5
SLIDE 5

...and we've replaced a lot of it...

  • Relay encryption: AES-CTR + Truncated SHA1

– End-to-end only

  • Key negotiation: “TAP” “ntor”

– (RSA1024 + DH1024 + AES-CTR) – Curve25519 + SHA256

  • Links: TLS1.0

– With DH1024, RSA1024, AES-CBC, SHA1.

slide-6
SLIDE 6

...and we've replaced a lot of it...

  • Relay encryption: AES-CTR + Truncated SHA1

– End-to-end only

  • Key negotiation: “TAP” “ntor”

– (RSA1024 + DH1024 + AES-CTR) – Curve25519 + SHA256

  • Links: TLS1.0 TLS >= 1.0...

– With DH1024, RSA1024, AES-CBC, SHA1. – With ECDH (P256), RSA1024, AES-GCM

slide-7
SLIDE 7

But work remains!

  • Relay encryption: AES-CTR + Truncated SHA1

– End-to-end only

  • Key negotiation: “TAP” “ntor”

– (RSA1024 + DH1024 + AES-CTR) – Curve25519 + SHA256

  • Links: TLS1.0 TLS >= 1.0...

– With DH1024, RSA1024, AES-CBC, SHA1. – With ECDH (P256), RSA1024, AES-GCM

Not Postquantum Enough! Too Malleable! Just no.

slide-8
SLIDE 8

Malleable AES-CTR + end-to-end MAC allows tagging attacks.

Alice Bob R2 Alice Evil R1 Evil R3

XORs data into ciphertext Recovers plaintext, and finds data.

slide-9
SLIDE 9

Solution: Add a MAC at each hop?

Alice Bob R2 Alice Evil R1 Evil R3

XORs data into ciphertext Rejects ciphertext. Observes: Circuit closed.

slide-10
SLIDE 10

Solution: Add a MAC at each hop?

Alice Bob R2 Alice Evil R1 Evil R3

XORs data into ciphertext Rejects ciphertext.

slide-11
SLIDE 11

But that leaks path length/position.

Alice Bob R2 Alice R1 R3

Big cells here! Smaller cells here!

slide-12
SLIDE 12

Solution: Chained wide-block SPRP?

Alice Bob R2 Alice Evil R1 Evil R3

XORs data into ciphertext Garbled ciphertext Observes: Circuit garbled.

slide-13
SLIDE 13

Single anonymity tool seeks SPRP for good times, encryption.

  • AEZ? (rogaway et al)

– CAESAR candidate – Based on AES round function—complex. – Fast with AESNI; less so if not??

  • HHFHFH? (djb et al)

– Feistel construction: simple, has proofs. – Instantiate with GF25519 / XChaCha20? – Slower than AEZ?? Need more data!

  • Help?
slide-14
SLIDE 14

Also let's do PQ circuit extension!

  • Forward secrecy matters most.
  • Needs to be fast-ish and small-ish.
  • No less secure than current ntor approach.

(approximately:)

– Alice → Bob: “g^x, Bob.” – Bob → Alice: “g^y, H1(g^xy, g^xb….)”. – Keys are: KDF(g^xy, g^xb….)

slide-15
SLIDE 15

Also let's do PQ circuit extension!

  • Forward secrecy matters most.
  • Needs to be fast-ish and small-ish.
  • No less secure than current ntor approach.

(approximately:)

– Alice → Bob: “g^x, Bob, PQKey ” – Bob → Alice: “g^y, H1(g^xy, g^xb….), E(PQKey, N)”. – Keys are: KDF(g^xy, g^xb, N ….)

slide-16
SLIDE 16

Current candidates

  • ntru?
  • newhope?
  • _________ ?
slide-17
SLIDE 17

Questions?

  • Also see tor-dev mailing list for more

discussion!

  • Targeting 2016 deployment.
  • Also, ask me about hidden service crypto.