On Thu, Apr 07, 2011 at 11:20:00PM +0100, Steven J. Murdoch wrote:
On Thu, Apr 07, 2011 at 06:13:45PM -0400, Nick Mathewson wrote:
Oh! Also, for a bit of redundancy, I'm thinking that the symmetric crypto parts of the improved onion handshakes ought to be with a less malleable mode of operation than the counter-mode stuff we do now. Perhaps we could make use of an all-or-nothing mode of operation like LIONESS or biIGE. (They're both slower than counter mode, but for purposes of CREATE cells, I don't think the hit will matter in comparison with the cost of the public-key operations.)
This is another thing that triggers my crypto-spidey-sense. The particular problem that I'm thinking of is that for MAC-then-encrypt, only some modes of operation are secure (CTR is, CBC is not). In some ways, the malleability of CTR is a strength, and I'd be concerned that something else might be able to be leveraged in an attack.
But we're currently doing "encrypt", not "MAC-then-encrypt". And we should be doing "encrypt-then-MAC", in my opinion, which ensures the ciphertext can't be undetectably messed with.
In any event, yes, crypto-spidey-sense.
- Ian