On Sun, Nov 17, 2013 at 07:33:12PM -0800, David Stainton wrote: > Hi, > > I noticed that because the obfsproxy api can sometimes buffer and > resend smaller chunks of data. My simple use of Nacl stream_crypto to > wrap each incoming data buffers will not work... that is because the > client and server must keep synchronized nonce counters for the > decrypt/encrypt to work... and in this case the client may send one > large buffer and the server may receive many smaller buffers... trying > to decrypt them with different nonces will of course fail. > > https://github.com/david415/obfsproxy/tree/david-nacl-stream-withoutkeyexchange > > It seems like the solution is to write a super simple "framing > protocol"... which is to say that I can first send a frame length; and > on the receiving end simply read until frame length worth of data is > consumed... and then apply the crypto_stream cipher on that frame with > the correct corresponding nonce.
Super-simple framing protocols often fall victim to attacks in which the adversary messes with the length in the frame header. See, for example, "Plaintext Recovery Attacks Against SSH": http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf So be careful here. - Ian _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
