Opened 7 years ago

Closed 3 years ago

#1315 closed task (wontfix)

Use of Authenticated Encryption

Reported by: ExtraBattery Owned by: zzz
Priority: maintenance Milestone: n/a
Component: router/transport Version: 0.9.13
Keywords: Cc:
Parent Tickets: #856, #2199 Sensitive: no



it states that: "SSU (the UDP transport) encrypts each packet with AES256/CBC with both an explicit IV and MAC (HMAC-MD5-128) …"

Isn't MD-5 completely outdated? So even if an HMAC is used, shouldn't the hash algorithm be changed back to SHA-256 for security?

Even better AES-GCM (authenticated encryption) might be used, which would probably also perform better than encrypting with AES and then hashing with MD-5. Steve Gibson has recently released a nice C-implementation of AES-GCM into the public domain, including test-vectors. It could be ported to Java and then used throughout the I2P router, possibly reducing packet size and at the same time increasing security.

Just saying.


Change History (4)

comment:1 Changed 7 years ago by zzz

Component: unspecifiedrouter/transport
Owner: set to zzz
Parent Tickets: 856

Sure, but lower priority than some other crypto migration, and an imcompatible change. See links in parent ticket #856 .

Security depends on many factors, including the lifetime the hash is used for, other encryption used in combination, etc.

So there's more to the story than just "MD5 = bad, panic".

comment:2 Changed 7 years ago by ExtraBattery

MD5 = bad, panic
HMAC-MD5 = no practical attack known

It's non-standard, yet Tiger performs (on x64) nearly as well as MD5. BLAKE2 is faster than MD5. SHA3−256 is faster than SHA−256.

comment:3 Changed 3 years ago by zzz

Parent Tickets: 856856, 2199

comment:4 Changed 3 years ago by zzz

Milestone: n/a
Resolution: wontfix
Status: newclosed

NTCP2 will use ChaCha20/Poly1305. See #2199 and proposal 111. Any replacement for SSU and its HMAC-MD5 isn't even in the proposal stage yet and is a year or more away, but we would certainly be informed by the decisions made for NTCP2. Closing this for now so we may close #2199.

Note: See TracTickets for help on using tickets.