On Thu, Apr 07, 2011 at 11:20:00PM +0100, Steven J. Murdoch wrote: > On Thu, Apr 07, 2011 at 06:13:45PM -0400, Nick Mathewson wrote: > > Oh! Also, for a bit of redundancy, I'm thinking that the symmetric > > crypto parts of the improved onion handshakes ought to be with a less > > malleable mode of operation than the counter-mode stuff we do now. > > Perhaps we could make use of an all-or-nothing mode of operation like > > LIONESS or biIGE. (They're both slower than counter mode, but for > > purposes of CREATE cells, I don't think the hit will matter in > > comparison with the cost of the public-key operations.) > > This is another thing that triggers my crypto-spidey-sense. The > particular problem that I'm thinking of is that for MAC-then-encrypt, > only some modes of operation are secure (CTR is, CBC is not). In some > ways, the malleability of CTR is a strength, and I'd be concerned that > something else might be able to be leveraged in an attack.
But we're currently doing "encrypt", not "MAC-then-encrypt". And we should be doing "encrypt-then-MAC", in my opinion, which ensures the ciphertext can't be undetectably messed with. In any event, yes, crypto-spidey-sense. - Ian _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
