Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New Anonymity Network for Short Messages

Steve Weis steveweis at gmail.com
Tue Jun 11 11:10:53 PDT 2013


Comments inline...

On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy <sean.a.cassidy at gmail.com>wrote:

> > - Any specific reason you picked CTR?
> CTR is widely recommended. Cryptography Engineering specifically
> recommends it.
>

The reason I ask is that this makes your IV-generation more critical than,
say, CBC, XTS, or other modes. If you have an IV collision, you'll leak
some message bits.

How big is the random nonce here, i.e. "sizeof(dp.id.id) -
blen<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-84>"?
How are message IDs generated?


> > - HMAC verification is vulnerable to a timing attack. Since you're using
>  > CTR, it's that much easier to forge messages.
>
> I will have to look into this in my Javascript client as well. Do you
> have any recommendations?


Use a timing-independent array
comparison<http://rdist.root.org/2010/01/07/timing-independent-array-comparison/>.
It's an easy fix. I've made the same mistake before, which is why I always
look for it now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130611/2973fd46/attachment.html>


More information about the liberationtech mailing list