[liberationtech] Not another Haystack right?

Steve Weis steveweis at gmail.com
Tue Nov 29 08:49:04 PST 2011 

This rationale for why they are inventing a new transport protocol needs to
be explained better. Why reinvent the wheel instead of using TLS?

>From a quick read through, they're stuffing connection info into an IV and
encrypting it with an ephemeral "IV key" in ECB mode. The spec says "the
purpose of encrypting the IV is not to keep the plaintext IV confidential,
but rather to prevent an observer from identifying the Briar protocol
through techniques such as deep packet inspection".

That seems unnecessarily complicated. Someone could encrypt all the Brian
connection info in a regular encrypted payload with a random IV, which will
be just as indistinguishable. I guess the idea is that the receiver can
quickly decrypt one block and check whether it's a Briar connection, rather
than having to decrypt a whole blob.

This IV has a 32-bit connection number that cannot be reused, requiring
counter state on each node. There's no mention of what happens when an
attacker opens connections to exhaust that counter or causes a node to
reset its counter. It's also not clear what happens when someone sends
corrupted IVs. There is no authentication on the IV itself, unless you
authenticate the HMAC on the entier paylaod. Nodes have to decrypt the IV
and try to parse the resultant fields. It's unclear how nodes handle
unexpected frame, connection, or block numbers. If you can reliably get a
Briar node to fail in a distinct manner, it might reveal itself as a Briar
node.

I think questions about of Java versions and Oracle's export policies are
bikeshedding at this point. This needs a lot more review before I would
ever trust it.

On Tue, Nov 29, 2011 at 8:04 AM, Yosem Companys <companys at stanford.edu>wrote:

> > What troubles me is the manner this discussion was started. Certainly, we
> > should express deep skepticism toward any tool that is released, but
> Yosem,
> > your title was quite curtly accusatory and without any support!
>
> Good point, though note I brought the discussion over from Twitter,
> where the question of "Not another Haystack, right?" was raised to me.
>  The question simply illustrates the deep public skepticism there is
> toward any tool that is released.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111129/0e787535/attachment.html>

More information about the liberationtech mailing list