Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
On Fri, Jul 16, 2021 at 8:31 AM Ian Goldberg wrote: [...] > But this post from Trevor also made me realize a bigger issue with the > protocol Nick proposed: > > If you want the protocol to work with Walking Onions, it needs to be > *post-specified peer*. That is, contrary to: > > > The client knows: > > * B: a public "onion key" for S > > The client will in fact _not_ know B in advance in a Walking Onions > setting, but rather will learn it at the end of the handshake. The > protocol Nick specified does in fact use B in the first message, unlike > the current ntor handshake, which just sends KEYID(B) in the first flow, > but it's not part of the math, or indeed as far as I can see, used for > anything at all in Section 5.1.4 of tor-spec.txt, and so can be easily > removed (and replaced with B being sent by the server) for Walking > Onions. Well, in the current deployment, the client only knows one B for each server at a time, and if the server responds with a B that the client _doesn't_ recognize, the client won't have any idea whether or not B is really authentic. (Priving that B is authentic is a big part of what Walking Onions has to solve.) Walking Onions is a big enough set of protocol changes that I'm comfortable requiring a subsequent handshake bump when we get there. Who knows, we may want another one between now and then if we decide to go hybrid-PQ or use Noise or something :) cheers, -- Nick ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
On Fri, Jul 16, 2021 at 5:31 AM Ian Goldberg wrote: > > On Tue, Jul 13, 2021 at 11:34:47AM -0700, Trevor Perrin wrote: > > You also wanted to add an (optional) pre-shared key, which Noise supports: > > > > NKpsk0: > > <- s > > ... > > -> psk, e, es > > <- e, ee > > Out of curiosity, Trevor, what properties does this Noise protocol > provide for low-entropy psk? The Noise PSK is intended for 256-bit secrets, however: * A low-entropy (even malicious) PSK can't reduce the security of the rest of the handshake. I.e. NKpsk0 with a bad PSK has all the security properties of NK. * The handshake will only complete successfully if both parties use the same PSK. This is *NOT* a PAKE: the legitimate recipient of the first NKpsk0 handshake message will be able to try offline guesses for the PSK. Noise doesn't have a PAKE feature. You could generically combine a Noise handshake with an Oblivious PRF to produce a PAKE (like Hugo's OPAQUE). Integrating a "balanced" PAKE, like in OTR, would be more complicated. > If you want the protocol to work with Walking Onions, it needs to be > *post-specified peer*. That is, contrary to: > > > The client knows: > > * B: a public "onion key" for S > > The client will in fact _not_ know B in advance in a Walking Onions > setting, but rather will learn it at the end of the handshake. I don't know the requirements here, but fwiw here's what pre-specified peer (NK or NK1) vs post-specified peer (NX) looks like for a Noise handshake: NK: <- s ... -> e, es <- e, ee NX: -> e <- e, ee, s, es Trevor ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
On Tue, Jul 13, 2021 at 11:34:47AM -0700, Trevor Perrin wrote: > You also wanted to add an (optional) pre-shared key, which Noise supports: > > NKpsk0: > <- s > ... > -> psk, e, es > <- e, ee Out of curiosity, Trevor, what properties does this Noise protocol provide for low-entropy psk? Nick, what are the settings in Tor (if any) in which low-entropy psk will come up? But this post from Trevor also made me realize a bigger issue with the protocol Nick proposed: If you want the protocol to work with Walking Onions, it needs to be *post-specified peer*. That is, contrary to: > The client knows: > * B: a public "onion key" for S The client will in fact _not_ know B in advance in a Walking Onions setting, but rather will learn it at the end of the handshake. The protocol Nick specified does in fact use B in the first message, unlike the current ntor handshake, which just sends KEYID(B) in the first flow, but it's not part of the math, or indeed as far as I can see, used for anything at all in Section 5.1.4 of tor-spec.txt, and so can be easily removed (and replaced with B being sent by the server) for Walking Onions. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
Hi Nick, you might look at the Noise framework: http://noiseprotocol.org/noise.html Noise has a naming scheme for "handshake patterns". Ntor matches what we call NK1. Your new scheme I think matches NK (the 1 in NK1 indicates a "deferred" pattern where the DH operation that authenticates the server is performed prior to the 2nd message rather than the first). NK1: <- s ... -> e <- e, ee, es (read as: initiator has pre-knowledge of server's static public key s; initiator sends their ephemeral in first message; responder sends their ephemeral in second message, then performs the two 2 DH operations, hashing them together and using the result for encrypting future data). In NK, the ephemeral-static DH is performed earlier so that the first message's handshake payload can be encrypted: NK: <- s ... -> e, es <- e, ee You also wanted to add an (optional) pre-shared key, which Noise supports: NKpsk0: <- s ... -> psk, e, es <- e, ee Some advantages of Noise are that you could reuse existing libraries and Noise's growing body of security analysis. Also, we're working on KEM extensions for post-quantum, signatures, and other things, so Noise might make it easier to evolve the protocol (eg NK1 vs NK vs NKpsk0). Trevor On Mon, Jul 12, 2021 at 9:02 AM Nick Mathewson wrote: > > ``` > Filename: 332-ntor-v3-with-extra-data.md > Title: Ntor protocol with extra data, version 3. > Author: Nick Mathewson > Created: 12 July 2021 > Status: Open > ``` > > # Overview > > The ntor handshake is our current protocol for circuit > establishment. > > So far we have two variants of the ntor handshake in use: the "ntor > v1" that we use for everyday circuit extension (see `tor-spec.txt`) > and the "hs-ntor" that we use for v3 onion service handshake (see > `rend-spec-v3.txt`). This document defines a third version of ntor, > adapting the improvements from hs-ntor for use in regular circuit > establishment. > > These improvements include: > > * Support for sending additional encrypted and authenticated >protocol-setup handshake data as part of the ntor handshake. (The >information sent from the client to the relay does not receive >forward secrecy.) > > * Support for using an external shared secret that both parties must >know in order to complete the handshake. (In the HS handshake, this >is the subcredential. We don't use it for circuit extension, but in >theory we could.) > > * Providing a single specification that can, in the future, be used >both for circuit extension _and_ HS introduction. > > # The improved protocol: an abstract view > > Given a client "C" that wants to construct a circuit to a > relay "S": > > The client knows: > * B: a public "onion key" for S > * ID: an identity for S, represented as a fixed-length > byte string. > * CM: a message that it wants to send to S as part of the > handshake. > * An optional "verification" string. > > The relay knows: > * A set of [(b,B)...] "onion key" keypairs. One of them is > "current", the others are outdated, but still valid. > * ID: Its own identity. > * A function for computing a server message SM, based on a given > client message. > * An optional "verification" string. This must match the "verification" > string from the client. > > Both parties have a strong source of randomness. > > Given this information, the client computes a "client handshake" > and sends it to the relay. > > The relay then uses its information plus the client handshake to see > if the incoming message is valid; if it is, then it computes a > "server handshake" to send in reply. > > The client processes the server handshake, and either succeeds or fails. > > At this point, the client and the relay both have access to: > * CM (the message the client sent) > * SM (the message the relay sent) > * KS (a shared byte stream of arbitrary length, used to compute > keys to be used elsewhere in the protocol). > > Additionally, the client knows that CM was sent _only_ to the relay > whose public onion key is B, and that KS is shared _only_ with that > relay. > > The relay does not know which client participated in the handshake, > but it does know that CM came from the same client that generated > the key X, and that SM and KS were shared _only_ with that client. > > Both parties know that CM, SM, and KS were shared correctly, or not > at all. > > Both parties know that they used the same verification string; if > they did not, they do not learn what the verification string was. > (This feature is required for HS handshakes.) > > # The handshake in detail > > ## Notation > > We use the following notation: > > * `|` -- concatenation > * `"..."` -- a byte string, with no terminating NUL. > * `ENCAP(s)` -- an encapsulation function. We define this > as `htonll(len(s)) | s`. (Note that `len(ENCAP(s)) = len(s) + 8`). > * `PARTITION(s, n1, n2, n3, ...)` -- a function that partitions a
Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
On Mon, Jul 12, 2021 at 03:09:02PM -0400, Nick Mathewson wrote: > On Mon, Jul 12, 2021 at 3:04 PM Ian Goldberg wrote: > > > > On Mon, Jul 12, 2021 at 12:01:47PM -0400, Nick Mathewson wrote: > > > Both parties know that they used the same verification string; if > > > they did not, they do not learn what the verification string was. > > > (This feature is required for HS handshakes.) > > > > I'm not sure the protocol you specify has this feature as written. For > > example, if the verification string has low entropy, the server could > > brute-force the client's verification string (using the MAC to check its > > guess). This is unlike, say, OTR's SMP or a PAKE, in which each online > > execution of the protocol allows the server just one guess. > > > > But perhaps you don't actually need the property in as strong a form as > > you wrote it, since the HS handshake application has high-entropy > > secrets? > > Oh yes, you are right, of course. > > Can you suggest a way to phrase this property that encompasses what > the protocol actually does provide? Could I convince you to use a hash (domain-separated but not keyed) of VER instead of ENCAP(VER)? Then you could say that the protocol reveals no more about VER than H_verstr(VER) does. [Note: H_verstr is different from H_verify.] ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
On Mon, Jul 12, 2021 at 3:04 PM Ian Goldberg wrote: > > On Mon, Jul 12, 2021 at 12:01:47PM -0400, Nick Mathewson wrote: > > Both parties know that they used the same verification string; if > > they did not, they do not learn what the verification string was. > > (This feature is required for HS handshakes.) > > I'm not sure the protocol you specify has this feature as written. For > example, if the verification string has low entropy, the server could > brute-force the client's verification string (using the MAC to check its > guess). This is unlike, say, OTR's SMP or a PAKE, in which each online > execution of the protocol allows the server just one guess. > > But perhaps you don't actually need the property in as strong a form as > you wrote it, since the HS handshake application has high-entropy > secrets? Oh yes, you are right, of course. Can you suggest a way to phrase this property that encompasses what the protocol actually does provide? best wishes, -- Nick ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 332: Ntor protocol with extra data, version 3.
On Mon, Jul 12, 2021 at 12:01:47PM -0400, Nick Mathewson wrote: > Both parties know that they used the same verification string; if > they did not, they do not learn what the verification string was. > (This feature is required for HS handshakes.) I'm not sure the protocol you specify has this feature as written. For example, if the verification string has low entropy, the server could brute-force the client's verification string (using the MAC to check its guess). This is unlike, say, OTR's SMP or a PAKE, in which each online execution of the protocol allows the server just one guess. But perhaps you don't actually need the property in as strong a form as you wrote it, since the HS handshake application has high-entropy secrets? ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
