wiki:Crypto/CurrentSpecs

Version 66 (modified by zzz, 6 years ago) (diff)

add tunnel encryption, signing revocation, strategy, more links

This page summarizes the current state of the I2P cryptography.

Currently used ciphers

Symmetric

Cipher Used lengths Security Comments
AES-CBC [8] 256 Good [5] See [8] for p/q/g. A good choice due to common support for hardware acceleration??? Really? We don't support hardware acceleration. Never used alone, always with ElG+SessionTag? [8] Notes about padding in [8] are incorrect and to be fixed (see trac ticket)

Asymmetric

Cipher Used lengths Security Comments
ElGamal [8] 2048 >Poor [5]??? We use "short exponent" [8]. See [8] for prime.

MAC

Cipher Security Implementability Comments
HMAC-MD5-128 Good [5] nonstandard, used in SSU

Hashes

Cipher Used lengths Security Comments
SHA256 [8] 256 Good [5] Slow compared to SHA-3. Used everywhere.

Key Exchange

Cipher Used lengths Security Comments
DH [8] 2048 Both NTCP and SSU. Uses same prime as ElG [8]

Signatures

Cipher Used lengths Security Comments
DSA [8] 1024 Poor [5] [10] We use DSA for all signatures. We do not use ElG as it was deemed too slow. That's why every Dest and RI has two keys, one for crypto and one for signing. Note that we do not support signing key revocation for anything.

Cipher usage

Router aspect Cipher used Security timescale Usage details Comments
NTCP handshake DSA ???
SSU handshake DSA ???
RouterInfo signing DSA ???
LeaseSet signing? DSA Years 75% verif.? (guesstimation)
LeaseSet revocation (unused) DSA ???
I2CP Session Config signing DSA ???
Datagram signing DSA ???
Streaming message signing DSA ???
SUD signing DSA Years and years 99% verif.
Tunnel Build Messages [8] ElG
NetDB Lookups / Stores [8] ElG/AES+SessionTag? Only some are encrypted [8]
End-to-End Encryption [8] ElG/AES+SessionTag?
Transport key exchange [8] DH Both NTCP and SSU
NTCP Transport encryption [8] AES
SSU Transport encryption [8] AES With nonstandard HMAC-MD5-128 [8]
Tunnel encryption hop-by-hop [9] AES See [9] for details
Hashes [8] SHA-256 Used as the netdb keys and would be very disruptive to change [8]

Potential new ciphers

Asymmetric ciphers

Cipher Suggested length Speed [6] Security Implementability Comments
EC-DSA 256 Sign.: 9203/s
Verif.: 4658/s
Good [5] Java7 BouncyCastle
EC-DSA 384 Sign.: 4791/s
Verif.: 1085/s
>Good [5]??? Java7 BouncyCastle
RSA-PKCS#1 v1.5 2048 Sign.: 770/s
Verif.: 25184/s
Poor [5]
RSA-PKCS#1 v1.5 3072 Decent [5]
RSA-PKCS#1 v1.5 4096 Sign.: 108/s
Verif.: 6757/s
>Decent [5]???
RSA-PSS 2048 Sign.: 770/s
Verif.: 25184/s
Decent [5]
RSA-PSS 3072 Good [5]
RSA-PSS 4096 Sign.: 108/s
Verif.: 6757/s
>Good [5]???
DSA 160/1024 Sign.: 8176/s
Verif.: 7500/s
Poor [5]
DSA 224/2048
256/2048
Sign.: 2548/s
Verif.: 2089/s
>Poor [5]???
DSA 256/3072 Decent [5]
ElGamal 256/2048 About the same as DSA-2048 as
DSA is based on ElGamal?
I2P

Symmetric ciphers

Cipher Suggested length Speed Security Implementability Comments
Twofish 256 Bits 256-Bit Twofish is faster than 256-bit Rijndael(AES) on the same hardware

Hashes

Cipher Security Implementability Comments
SHA3(Keccak) Good enough to be recommended by NIST Faster than the SHA-2 family
RIPEMD-160 Decent [5]
RIPEMD-320 ~RIPEMD-160 [7]

MAC

Cipher Security Implementability Comments
HMAC Good [5]
CMAC Good [5]
CBC-MAC-X9.19 Good [5]
CBC-MAC-EMAC Good [5]

Strategy

At first glance, current signing algo (DSA) is the weakest, and signing is far easier to understand and analyze than crypto, so it's probably a good place to start. [8] [10]



[1] http://www.cryptopp.com/benchmarks.html
[2] http://tools.ietf.org/html/rfc4492
[3] NIST 2011 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
[4] http://www.keylength.com/en/compare/
[5] ECRYPT II 2011 http://www.ecrypt.eu.org/documents/D.SPA.17.pdf
[6] OpenSSL Benchmark
[7] http://en.wikipedia.org/wiki/RIPEMD - Citation needed
[8] http://www.i2p2.i2p/how_cryptography and see more references there
[9] http://www.i2p2.i2p/tunnel-alt.html tunnel encryption
[10] http://zzz.i2p/topics/715 DSA replacement