On Sat, Dec 20, 2014 at 4:56 AM, Yawning Angel yawning@schwanenlied.me wrote: [...]
How not to do Diffie-Hellman:
key = pow(dh_received, dh_secret, DIFFIE_HELLMAN_MODULUS)
This is relatively minor since recovering the secret key is trivial via PRNG attacks, so the fact that the modular exponentiation is not constant time matters less.
Additionally, I don't believe their code checks that the dh_secret value is actually in [2..(p-1)], which enables an attack if the node receiving an EXTEND cell replaces enc(g^x) and g^y with enc(1), 1 respectively. This makes the circuit crypto more or less pointless.
And I think that the CREATE cell handler's code's implementation of the (deprecated) TAP protocol is vulnerable to the timing attack discussed in Goldberg's "On the Security of the Tor Authentication Protocol".
Recommendations:
- For users, "don't". Cursory analysis found enough fundamental flaws, and secure protocol design/implementation errors that I would be reluctant to consider this secure, even if the known issues were fixed. It may be worth revisiting in several years when the designers obtain more experience, and a thorough third party audit of the improved code and design has been done.
Yeah. To be clear, if you had reviewed Tor in 2004, you would have found a lot of horrible mistakes too. Software gets better, and programmers get better.
This one has a long way to go, but if they keep at it, it will eventually get there.
(Honestly, I find that the best way to put this kinds of mistakes into context is to put a huge disclaimer on the front of all new software, so that people will know not to use it until it's had a lot of attention.)