On Tue, Dec 16, 2014 at 9:53 AM, Yawning Angel <[email protected]> wrote: > Hi all, > > For several reasons I've been working on a bit of code that I named > "basket". It's almost at the point where the brave members of the > general public should be aware that it exists as a potential option in > the privacy toolbox, though using it in any capacity beyond testing on > a loopback device IS CURRENTLY ACTIVELY DISCOURAGED unless users are > comfortable debugging it (This means, DO NOT USE IT. I will likely > break backward compatibility in the future, and you will be sad.). > > "basket" is my stab at designing something that significantly increases > Tor's resistance to upcoming/future attacks, by providing a link layer > cryptographic handshake that uses post-quantum cryptographic primitives > and defenses against website fingerprinting (and possibly e2e > correlation) attacks. > > For the ease of development it is in the form of a pluggable transport > with the expected tradeoffs (you must absolutely trust your Bridge, > since both features only run to the Bridge). It is worth noting that > it is anything but subtle, and it is blatantly obvious that a given > connection is speaking "basket" as no attempt was made to obfuscate the > handshake. > > The link layer handshake works roughly like thus: > Setup: > * Bob generates a long term SPHINCS256 keypair s,S used to sign > responses. > > The handshake: > 1. Alice generates a Curve25519 keypair x,X and a NTRUEncrypt > EES1171EP1 keypair n,N. > 2. Alice sends X | N to Bob. > 3. Bob generates a Curve25519 keypair y,Y, and calculates > Curve25519(y,X) as the shared secret. > 4. Bob sends NTRUEncrypt(N,Y) | S | SPHINCS256(s, ntru_ciphertext | > S) to Alice. > 5. Alice verifies the SPHINCS256 signature (Alice's copy of S is > saved/trusted in a Trust-On-First-Use manner), and decrypts the > NTRU ciphertext to obtain Y. > 6. Alice calculates Curve25519(x,Y) as the shared secret. > > NB: Some details omitted for brevity.
Should the handshake also a signature by Bob of (X|N), and should maybe the shared secret also include a digest of all the other parts of the communication? -- Nick _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
