teor <teor2...@gmail.com> writes: >> On 20 Sep 2017, at 00:44, George Kadianakis <desnac...@riseup.net> wrote: >> >> Legacy RENDEZVOUS1 cells are bigger than the prop224 ones. The prop224 >> spec suggests we pad the new cells so that they look similar in size to >> the legacy ones. >> >> ... >> >> The suggestion is to pad the prop224 cells to 168 bytes using random data. >> >> Would that work? My main question is whether the g^y part of the legacy >> cell has any distinguishers that could distinguish it from random data. >> It's encoded using OpenSSL's BN_bn2bin() and it's a 1024 bit DH public >> key. Are there any algebraic or openssl structure distinguishers we >> should be worrying about, or is random data sufficient to mask it out? > > What's the threat model here? > > I ask because regardless of whether the RENDEZVOUS1 cell plaintext is > distinguishable between v2 and v3, the rend point can distinguish v2 and > v3 using this one neat trick: > * if the service extends using TAP, the protocol is v2 > * if the service extends using ntor, the protocol is v3 >
Thanks for the discussion and research, Ian and teor! I summarized the findings here: https://trac.torproject.org/projects/tor/ticket/23420#comment:5 Not sure what's the right approach here. Perhaps I'm fine with doing nothing at this point, and figuring this out in the future if v4 ever comes. Cheers! _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev