-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 23/05/14 13:16, Philipp Winter wrote:
- ScrambleSuit's framing mechanism is vulnerable to this attack:
http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf In a nutshell, the receiver needs to decrypt the ScrambleSuit header before it is able to verify the HMAC which makes it possible for an attacker to tamper with the length fields. While there are probably simpler attacks, it would be nice to have a fix for this problem.
In the next version of the Briar transport protocol we're addressing that problem by dividing each frame into two parts. The first part is a fixed-length header, the second is a variable-length body. Each part is separately encrypted and MACed. The header contains the length of the body.
This requires two MACs per frame, but I prefer that to the alternatives: using fixed-length frames, or using the decrypted length field before checking whether it's been tampered with.
Cheers, Michael