Hi all,
This thread ended up covering a lot of details of Tor crypto.
And there are a lot of details! (I'm sorry this email is so long.)
I focused on the circuit digest hash, but I wanted to talk about circuit
crypto in general.
So I'm going to focus my reply on how upgrading circuit crypto has
On 23 Jul (12:08:25), teor wrote:
>
> > On 22 Jul 2017, at 00:07, David Goulet wrote:
> >
> > On 22 Jul (00:02:33), teor wrote:
> >> Hi all,
> >>
> >> At the moment, Tor uses SHA1 for the running digests of circuit cell
> >> payloads.
> >>
> >> Some of the prop224 code seems to use SHA256 for
> Date: Sun, 23 Jul 2017 12:08:25 +1000
> From: teor
>
> We still need to think about how we migrate hashes, because all hashes
> break eventually:
> https://valerieaurora.org/hash.html
As a counterpoint, here is an updated history of collision *and* preimage
attacks, and some commentary on them
> On 22 Jul 2017, at 00:07, David Goulet wrote:
>
> On 22 Jul (00:02:33), teor wrote:
>> Hi all,
>>
>> At the moment, Tor uses SHA1 for the running digests of circuit cell
>> payloads.
>>
>> Some of the prop224 code seems to use SHA256 for the digests for
>> client to service rendezvous circui
On 22 Jul (00:02:33), teor wrote:
> Hi all,
>
> At the moment, Tor uses SHA1 for the running digests of circuit cell
> payloads.
>
> Some of the prop224 code seems to use SHA256 for the digests for
> client to service rendezvous circuits. But that's not in the spec yet
> (see #22995 at [0]).
Tha
Hi all,
At the moment, Tor uses SHA1 for the running digests of circuit cell
payloads.
Some of the prop224 code seems to use SHA256 for the digests for
client to service rendezvous circuits. But that's not in the spec yet
(see #22995 at [0]).
How and when do we plan to move away from using SHA1
