7 Apr
2011
7 Apr
'11
10:22 p.m.
On Thu, Apr 07, 2011 at 06:13:45PM -0400, Nick Mathewson wrote:
Oh! Also, for a bit of redundancy, I'm thinking that the symmetric crypto parts of the improved onion handshakes ought to be with a less malleable mode of operation than the counter-mode stuff we do now.
Yes. Absolute necessity.
Perhaps we could make use of an all-or-nothing mode of operation like LIONESS or biIGE. (They're both slower than counter mode, but for purposes of CREATE cells, I don't think the hit will matter in comparison with the cost of the public-key operations.)
A MAC (or a cipher mode that includes integrity like GCM) would be a good start.
- Ian