[liberationtech] New Anonymity Network for Short Messages
Steve Weis
steveweis at gmail.com
Tue Jun 11 11:10:53 PDT 2013
Comments inline...
On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy <sean.a.cassidy at gmail.com>wrote:
> > - Any specific reason you picked CTR?
> CTR is widely recommended. Cryptography Engineering specifically
> recommends it.
>
The reason I ask is that this makes your IV-generation more critical than,
say, CBC, XTS, or other modes. If you have an IV collision, you'll leak
some message bits.
How big is the random nonce here, i.e. "sizeof(dp.id.id) -
blen<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-84>"?
How are message IDs generated?
> > - HMAC verification is vulnerable to a timing attack. Since you're using
> > CTR, it's that much easier to forge messages.
>
> I will have to look into this in my Javascript client as well. Do you
> have any recommendations?
Use a timing-independent array
comparison<http://rdist.root.org/2010/01/07/timing-independent-array-comparison/>.
It's an easy fix. I've made the same mistake before, which is why I always
look for it now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130611/2973fd46/attachment.html>
More information about the liberationtech
mailing list