Re: [tor-dev] [prop269] Further changes to the hybrid handshake proposal (and NTor)

2016-10-18 Thread John M. Schanck
Hi BU, bustao...@cryptolounge.net wrote: > Perhaps my question is related to Michaels question, but above removing A, X, > Y and server ID leaves the possibility of a person-in-the-middle who by > manipulating public keys (resend 2A, instead of A, 2X instead of X, 2Y instead > of Y) can force two

Re: [tor-dev] [prop269] Further changes to the hybrid handshake proposal (and NTor)

2016-10-18 Thread bustaoglu
Quoting isis agora lovecruft : Hello, After discussion with John Schanck and Trevor Perrin over the last month, we've decided to make some alterations to the specification for hybrid handshakes in Tor proposal #269. It seems that John, Trevor, and I are mostly in

Re: [tor-dev] [prop269] Further changes to the hybrid handshake proposal (and NTor)

2016-10-17 Thread John M. Schanck
Hi Michael, Michael Rogers wrote: > If we're concerned with the server choosing its public material in such > a way as to bias the entropy extraction, does that mean that in this > case, the attacker is the server, and therefore the server's public > material shouldn't be included in the salt?

Re: [tor-dev] [prop269] Further changes to the hybrid handshake proposal (and NTor)

2016-10-17 Thread Michael Rogers
On 14/10/16 22:45, isis agora lovecruft wrote: > 1. [NTOR] Inputs to HKDF-extract(SALT, SECRET) which are not secret > (e.g. server identity ID, and public keys A, X, Y) are now removed from > SECRET and instead placed in the SALT. > > Reasoning: *Only* secret data should be placed

Re: [tor-dev] [prop269] Further changes to the hybrid handshake proposal (and NTor)

2016-10-17 Thread Trevor Perrin
On Fri, Oct 14, 2016 at 2:45 PM, isis agora lovecruft wrote: > > After discussion with John Schanck and Trevor Perrin over the last month, > we've decided to make some alterations to the specification for hybrid > handshakes in Tor proposal #269. > > It seems that John,