1
0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2024-12-28 00:20:13 +01:00
Commit Graph

10 Commits

Author SHA1 Message Date
Frank Denis
f8293f56a9 Update deps 2024-09-10 23:28:24 +02:00
Frank Denis
63f8d9b30d Update deps 2024-01-18 23:47:00 +01:00
Frank Denis
0ba728b6ce Update deps 2023-11-15 15:51:48 -08:00
Frank Denis
98ab4aee23 Update deps 2021-06-07 15:54:56 +02:00
Frank Denis
bbf4094508 Deps update 2021-02-20 18:55:58 +01:00
Frank Denis
3ae3fe2f18 x/crypto update 2020-12-10 19:00:57 +01:00
Frank Denis
c6b2869317 Update Poly1305 dep 2020-04-26 13:03:48 +02:00
Frank Denis
6f62a82496 Update deps 2019-12-21 21:28:07 +01:00
Frank Denis
25ac94e7b2 Revert "Add Stretch-Hash-and-Truncate option for extreme DNS privacy"
This reverts commit 2d1dd7eaab.
2019-04-02 01:57:48 +02:00
Frank Denis
2d1dd7eaab Add Stretch-Hash-and-Truncate option for extreme DNS privacy
This works over DNSCrypt and DoH, but requires a specifically configured
server.

Instead of sending the actual DNS queries, the SH-T system works as follows:

Step 1: the client query is evaluated through Argon2id, a military-grade,
memory-hard, CPU-hard stretching function. This makes it very expensive
for an attacker to find the original query, even using GPUs and ASICs.
For post-quantum resistance, we use it to generate a 1024-bit key.

Step 2: in case the Argon2id algorithm has a vulnerability, or, since this
is a popular function used for hashing passwords and for cryptocurrencices,
and people may have built rainbow tables already, we use a hash function over
the result of the previous function. This immediately defeats rainbow tables.

Step 3: the output of the hash function is truncated to 64-bit.
Due to a property of this operation known as collision-misresistance, and even
if the previous steps fail due to a nation-state actor, it is impossible for a
server operator to prove what exact query was originally sent by a client.

This feature is experimental.
2019-04-01 09:36:56 +02:00