On Tue, Oct 8, 2013 at 4:49 PM, Mike Perry <[email protected]> wrote:
> Jurre van Bergen: > > > > *OTR* > > OTR support comes from the Go crypto package: > > https://code.google.com/p/go.crypto/ > > This library only has support for OTRv2 and not the latest OTRv3 > > specification. If we want to be resistant to several attacks[1] on the > > OTR protocol, we need to reimplement the OTR protocol and update it to > > the latest version or, we use Cgo, which binds into libotr. (Open > > questions: OTR by default?, ) > > > > [1] > > > http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=rep1&type=pdf > > According to agl: > "The DH and DSA code uses Go's math/big library, which isn't constant > time." > > He said these non-constant time Go primitives are used by OTR, and will > be used by TLS if they are specified by the negotiated cipher suite. > The easy fix is to make go.crypto constant time, for at least what we need. If we are okay with bad performance this doesn't require much trickery for DH: saturated limb arithmetic modulo a constant with a precomputed Barrett reduction tables is constant time. DSA is harder because the modulus is provided as part of the key. I don't know how to do that in constant time. > > So xmpp-client's OTR and TLS support would definitely need to be > rewritten to call out to a native code implementation or rewritten to > use new constant time Go primitives, independent of OTRv2 vs OTRv3. > > -- > Mike Perry > > _______________________________________________ > tor-dev mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
