Reuse Y in ntor
Y
serves two purposes in ntor: it provides forward secrecy, and it provides freshness (i.e. it ensures that the resulting session key will never be used for more than one session).
Forward secrecy only requires that y
be reasonably short-lived. Changing it every 5 minutes is more than adequate.
Freshness could have been obtained by sending a server-provided nonce in the handshake, and including that nonce in every hash performed by ntor (and thus in the resulting key). Unfortunately, Tor's current ntor protocol doesn't allow for a nonce.
The best that can be done without a protocol change is:
- store
(y, Y)
on a per-thread basis; - generate a secret SipHash key
k
along with each(y, Y)
; - keep a per-thread 2^14^-bit replay-detection Bloom filter of the
bX
values computed during the server handshake, using SipHash as the hash andk
as the key; - if the Bloom filter cannot prove that
bX
computed during a handshake is new, generate a new(y, Y)
andk
, and clear the Bloom filter.