mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 14:23:30 +01:00
139 lines
5.7 KiB
Plaintext
139 lines
5.7 KiB
Plaintext
Filename: xxx-choosing-crypto-in-tor-protocol.txt
|
|
Title: Picking cryptographic standards in the Tor wire protocol
|
|
Author: Marian
|
|
Created: 2009-05-16
|
|
Status: Draft
|
|
|
|
Motivation:
|
|
|
|
SHA-1 is horribly outdated and not suited for security critical
|
|
purposes. SHA-2, RIPEMD-160, Whirlpool and Tigerare good options
|
|
for a short-term replacement, but in the long run, we will
|
|
probably want to upgrade to the winner or a semi-finalist of the
|
|
SHA-3 competition.
|
|
|
|
For a 2006 comparison of different hash algorithms, read:
|
|
http://www.sane.nl/sane2006/program/final-papers/R10.pdf
|
|
|
|
Other reading about SHA-1:
|
|
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
|
|
http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html
|
|
http://www.schneier.com/paper-preimages.html
|
|
|
|
Additionally, AES has been theoretically broken for years. While
|
|
the attack is still not efficient enough that the public sector
|
|
has been able to prove that it works, we should probably consider
|
|
the time between a theoretical attack and a practical attack as an
|
|
opportunity to figure out how to upgrade to a better algorithm,
|
|
such as Twofish.
|
|
|
|
See:
|
|
http://schneier.com/crypto-gram-0209.html#1
|
|
|
|
Design:
|
|
|
|
I suggest that nodes should publish in directories which
|
|
cryptographic standards, such as hash algorithms and ciphers,
|
|
they support. Clients communicating with nodes will then
|
|
pick whichever of those cryptographic standards they prefer
|
|
the most. In the case that the node does not publish which
|
|
cryptographic standards it supports, the client should assume
|
|
that the server supports the older standards, such as SHA-1
|
|
and AES, until such time as we choose to desupport those
|
|
standards.
|
|
|
|
Node to node communications could work similarly. However, in
|
|
case they both support a set of algorithms but have different
|
|
preferences, the disagreement would have to be resolved
|
|
somehow. Two possibilities include:
|
|
* the node requesting communications presents which
|
|
cryptographic standards it supports in the request. The
|
|
other node picks.
|
|
* both nodes send each other lists of what they support and
|
|
what version of Tor they are using. The newer node picks,
|
|
based on the assumption that the newer node has the most up
|
|
to date information about which hash algorithm is the best.
|
|
Of course, the node could lie about its version, but then
|
|
again, it could also maliciously choose only to support older
|
|
algorithms.
|
|
|
|
Using this method, we could potentially add server side support
|
|
to hash algorithms and ciphers before we instruct clients to
|
|
begin preferring those hash algorithms and ciphers. In this way,
|
|
the clients could upgrade and the servers would already support
|
|
the newly preferred hash algorithms and ciphers, even if the
|
|
servers were still using older versions of Tor, so long as the
|
|
older versions of Tor were at least new enough to have server
|
|
side support.
|
|
|
|
This would make quickly upgrading to new hash algorithms and
|
|
ciphers easier. This could be very useful when new attacks
|
|
are published.
|
|
|
|
One concern is that client preferences could expose the client
|
|
to segmentation attacks. To mitigate this, we suggest hardcoding
|
|
preferences in the client, to prevent the client from choosing
|
|
to use a new hash algorithm or cipher that no one else is using
|
|
yet. While offering a preference might be useful in case a client
|
|
with an older version of Tor wants to start using the newer hash
|
|
algorithm or cipher that everyone else is using, if the client
|
|
cares enough, he or she can just upgrade Tor.
|
|
|
|
We may also have to worry about nodes which, through laziness or
|
|
maliciousness, refuse to start supporting new hash algorithms or
|
|
ciphers. This must be balanced with the need to maintain
|
|
backward compatibility so the client will have a large selection
|
|
of nodes to pick from. Adding new hash algorithms and ciphers
|
|
long before we suggest nodes start using them can help mitigate
|
|
this. However, eventually, once sufficient nodes support new
|
|
standards, client side support for older standards should be
|
|
disabled, particularly if there are practical rather than merely
|
|
theoretical attacks.
|
|
|
|
Server side support for older standards can be kept much longer
|
|
than client side support, since clients using older hashes and
|
|
ciphers are really only hurting theirselvse.
|
|
|
|
If server side support for a hash algorithm or cipher is added
|
|
but never preferred before we decide we don't really want it,
|
|
support can be removed without having to worry about backward
|
|
compatibility.
|
|
|
|
Security implications:
|
|
Improving cryptography will improve Tor's security. However, if
|
|
clients pick different cryptographic standards, they could be
|
|
partitioned based on their cryptographic preferences. We also
|
|
need to worry about nodes refusing to support new standards.
|
|
These issues are detailed above.
|
|
|
|
Specification:
|
|
|
|
Todo. Need better understanding of how Tor currently works or
|
|
help from someone who does.
|
|
|
|
Compatibility:
|
|
|
|
This idea is intended to allow easier upgrading of cryptographic
|
|
hash algorithms and ciphers while maintaining backwards
|
|
compatibility. However, at some point, backwards compatibility
|
|
with very old hashes and ciphers should be dropped for security
|
|
reasons.
|
|
|
|
Implementation:
|
|
|
|
Todo.
|
|
|
|
Performance and scalability nodes:
|
|
|
|
Better hashes and cipher are someimes a little more CPU intensive
|
|
than weaker ones. For instance, on most computers AES is a little
|
|
faster than Twofish. However, in that example, I consider Twofish's
|
|
additional security worth the tradeoff.
|
|
|
|
Acknowledgements:
|
|
|
|
Discussed this on IRC with a few people, mostly Nick Mathewson.
|
|
Nick was particularly helpful in explaining how Tor works,
|
|
explaining goals, and providing various links to Tor
|
|
specifications.
|