On Wed, Nov 2, 2011 at 9:25 PM, Watson Ladd wrote:
> Dear all,
> I'm busy rewriting tor-spec (well, mangling it) to be crypto agnostic
> (read: shoving hard choices to later). In the process I am trying to
> make it a bit clearer.
Hi, Watson! Some initial thoughts to observe or ignore as you see
Dear all,
I'm busy rewriting tor-spec (well, mangling it) to be crypto agnostic
(read: shoving hard choices to later). In the process I am trying to
make it a bit clearer.
The spec seems to hold open the possibility that nodes not on the two
ends of a circuit can send recognized RELAY cells (the ro
On Wed, Nov 2, 2011 at 2:19 PM, Watson Ladd wrote:
> On Wed, Nov 2, 2011 at 11:45 AM, Robert Ransom wrote:
>> On 2011-11-02, Watson Ladd wrote:
>>> Dear All,
>>[...omitted..]
>>
>>> Right now Tor encrypts the streams of data from a client to a OR with
>>> AES-CTR and no integrity checks.
>>
>> B
On Wed, Nov 02, 2011 at 01:19:52PM -0500, Watson Ladd wrote:
> On Wed, Nov 2, 2011 at 11:45 AM, Robert Ransom wrote:
> > On 2011-11-02, Watson Ladd wrote:
> >> Dear All,
> >[...omitted..]
> >
> >> Right now Tor encrypts the streams of data from a client to a OR with
> >> AES-CTR and no integrity
On Wed, Nov 2, 2011 at 11:45 AM, Robert Ransom wrote:
> On 2011-11-02, Watson Ladd wrote:
>> Dear All,
>[...omitted..]
>
>> Right now Tor encrypts the streams of data from a client to a OR with
>> AES-CTR and no integrity checks.
>
> Bullshit. We have a 32-bit-per-cell integrity check at the end
On Tue, 1 Nov 2011 14:51:00 -0700
coderman wrote:
> On Tue, Nov 1, 2011 at 1:20 PM, Zooko O'Whielacronx wrote:
> > ...
> > Therefore, in the context of whether we can expect SHA-3 and/or
> > SHA-256 circuits to come built into our chips in the future, the fact
> > that SHA-256 can be implemented
On Mon, 31 Oct 2011 23:59:55 -0500
Watson Ladd wrote:
> What about this for modification resistance?
> We keep a count of all cells passing and use AES in CTR mode with a 2 part
> counter: the first part the cell counter, the second one a block counter.
> Then to authenticate the cell we can use
On Wed, Nov 2, 2011 at 12:45 PM, Robert Ransom wrote:
> On 2011-11-02, Watson Ladd wrote:
>> Dear All,
>> Rather then get further sucked into a debate that is producing more
>> heat then light about Wegman-Carter, I've decided to make a concrete
>> proposal for how Tor can better protect its stre
On 2011-11-01, Roger Dingledine wrote:
> On Mon, Oct 31, 2011 at 09:25:58PM -0400, Nick Mathewson wrote:
>> The point of this document is to discuss what crypto we ought to be
>> using.
>
> Thanks Nick!
>
>> - To make sure that the extending node is talking to the right next
>> node
>>
On 2011-11-02, Watson Ladd wrote:
> Dear All,
> Rather then get further sucked into a debate that is producing more
> heat then light about Wegman-Carter, I've decided to make a concrete
> proposal for how Tor can better protect its streams from manipulation.
Your proposal is so detailed and conc
For what it is worth, I would probably prefer Poly1305-AES over HMAC
if I were needing message integrity. I don't know if I would prefer
Poly1305-AES over using an integrated-integrity mode like GCM.
On Wed, Nov 2, 2011 at 2:20 AM, Markku-Juhani O. Saarinen
wrote:
>
> As a hash function research
Dear All,
Rather then get further sucked into a debate that is producing more
heat then light about Wegman-Carter, I've decided to make a concrete
proposal for how Tor can better protect its streams from manipulation.
Right now Tor encrypts the streams of data from a client to a OR with
AES-CTR an
Watson Ladd:
> (HMAC is a bad idea anyway: quadratic security bounds are not the best
> possible, we have to use nonces anyway to prevent replay attacks, so
> Wegman-Carter is a better idea for better in{faster, more secure}. GCM
> would be an example of this.)
GCM has quadratic security bounds,
13 matches
Mail list logo
