wiki:Crypto/CurrentSpecs

This page summarizes the current state of the I2P cryptography.

Currently used ciphers

Symmetric

Cipher Used lengths Security Comments
AES-CBC [8] 256 Good [5] See [8] for p/q/g. A good choice due to common support for hardware acceleration??? Really? We don't support hardware acceleration. Never used alone, always with ElG+SessionTag? [8] Notes about padding in [8] are incorrect and to be fixed (see trac ticket)

Asymmetric

Cipher Used lengths Security Comments
ElGamal [8] 2048 >Poor [5]??? We use "short exponent" [8]. See [8] for prime.

MAC

Cipher Security Implementability Comments
HMAC-MD5-128 Poor [5] nonstandard, used in SSU

Hashes

Cipher Used lengths Security Comments
SHA256 [8] 256 Good [5] Slow compared to SHA-3. Used everywhere.

Key Exchange

Cipher Used lengths Security Comments
DH [8] 2048 Both NTCP and SSU. Uses same prime as ElG [8]

Signatures

Cipher Used lengths Security Comments
DSA [8] 1024 Poor [5] [10] We use DSA for all signatures. We do not use ElG as it was deemed too slow. That's why every Dest and RI has two keys, one for crypto and one for signing. Note that we do not support signing key revocation for anything.

Cipher usage

Router aspect Cipher used Key used Security timescale Usage details Comments
NTCP handshake DSA RI SigKey ??? see below
SSU handshake DSA RI SigKey ??? see below
RouterInfo signing DSA RI SigKey Years but… Right now there's no limit on RI key lifetime but we could force a regeneration after a certain amount of time, esp. on startup after a long downtime
LeaseSet signing? DSA Dest SigKey Years 75% verif.? (guesstimation)
LeaseSet revocation (unused) DSA LS SigKey ???
I2CP Session Config signing DSA ???
Datagram signing DSA Years and years? Or is it the other LS key? There's multiple keys in a LS, some are in the Dest (i.e. tied to the hosts.txt entry) and some are regenerated at startup. Of course for client tunnels, keys are not persistent, all are regenerated at startup (or on reconnect if so configured in i2ptunnel)
Streaming message signing DSA Years and years? ditto
SUD signing DSA Years and years 99% verif. Keys are hardcoded in i2p source, and revokable by removing them. New file format required to change algo, proposal at http://zzz.i2p/topics/1351
Tunnel Build Messages [8] ElG RI EncKey
NetDB Lookups / Stores [8] ElG/AES+SessionTag? Years but… Only some are encrypted [8] Right now there's no limit on RI key lifetime but we could force a regeneration after a certain amount of time
End-to-End Encryption [8] ElG/AES+SessionTag? LS EncKey
Transport key exchange [8] DH Both NTCP and SSU
NTCP Transport encryption [8] AES DH key
SSU Transport encryption [8] AES DH key With nonstandard HMAC-MD5-128 [8]
Tunnel encryption hop-by-hop [9] AES See [9] for details
Hashes [8] SHA-256 Used as the netdb keys and would be very disruptive to change [8]

Potential new ciphers

Asymmetric ciphers

Cipher Suggested length Speed [6] Security Implementability Comments
EC-DSA 256 Sign.: 9203/s
Verif.: 4658/s
Good [5] Java7 BouncyCastle
EC-DSA 384 Sign.: 4791/s
Verif.: 1085/s
>Good [5]??? Java7 BouncyCastle
RSA-PKCS#1 v1.5 2048 Sign.: 770/s
Verif.: 25184/s
Poor [5]
RSA-PKCS#1 v1.5 3072 Decent [5]
RSA-PKCS#1 v1.5 4096 Sign.: 108/s
Verif.: 6757/s
>Decent [5]???
RSA-PSS 2048 Sign.: 770/s
Verif.: 25184/s
Decent [5]
RSA-PSS 3072 Good [5]
RSA-PSS 4096 Sign.: 108/s
Verif.: 6757/s
>Good [5]???
DSA 160/1024 Sign.: 8176/s
Verif.: 7500/s
Poor [5]
DSA 224/2048
256/2048
Sign.: 2548/s
Verif.: 2089/s
>Poor [5]???
DSA 256/3072 Decent [5]
ElGamal 256/2048 About the same as DSA-2048 as
DSA is based on ElGamal?
I2P

Symmetric ciphers

Cipher Suggested length Speed Security Implementability Comments
Twofish 256 Bits 256-Bit Twofish is faster than 256-bit Rijndael(AES) on the same hardware

Hashes

Cipher Security Implementability Comments
SHA3(Keccak) Good enough to be recommended by NIST Faster than the SHA-2 family
RIPEMD-160 Decent [5]
RIPEMD-320 ~RIPEMD-160 [7]

MAC

Cipher Security Implementability Comments
HMAC Good [5]
CMAC Good [5]
CBC-MAC-X9.19 Good [5]
CBC-MAC-EMAC Good [5]

Strategy

At first glance, current signing algo (DSA) is the weakest, and signing is far easier to understand and analyze than crypto, so it's probably a good place to start. [8] [10]



[1] http://www.cryptopp.com/benchmarks.html
[2] http://tools.ietf.org/html/rfc4492
[3] NIST 2011 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
[4] http://www.keylength.com/en/compare/
[5] ECRYPT II 2012 http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
[6] OpenSSL Benchmark
[7] http://en.wikipedia.org/wiki/RIPEMD - Citation needed
[8] https://geti2p.net/spec/cryptography and see more references there
[9] https://geti2p.net/en/docs/tunnels/implementation tunnel encryption
[10] http://zzz.i2p/topics/715 DSA replacement

Last modified 2 years ago Last modified on Mar 10, 2018 12:48:24 PM