[Remops] mixmaster's 1024-bit RSA is getting old
lists at notatla.org.uk
lists at notatla.org.uk
Wed Oct 30 18:56:41 GMT 2013
> In the process of revising the mixmaster header spec, is there any way
> to eliminate the tagging attack illustrated by Tom at http://crypto.is?
> Seems like it should be possible to incorporate something to solve this
> problem.
To beat the tagging attack the remailer must not only check
the integrity of the header it processes but if there is a
further hop it must check the integrity of the next hop to
see it is unchanged since leaving the client.
Look at the use of "antitag" in
send_packet() function in chain2.c
mix2_decrypt() function in rem2.c
I have tested all the HMAC checks with a corrupt client that changes a byte
in the relevant field just after the HMAC is made and confirmed the remailer
rejects them ae messages the correct place.
More information about the Remops
mailing list