[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3122 [Tor Client]: Write and use constant-time comparison functions



#3122: Write and use constant-time comparison functions
-------------------------+--------------------------------------------------
 Reporter:  rransom      |          Owner:  ioerror
     Type:  enhancement  |         Status:  new    
 Priority:  major        |      Milestone:         
Component:  Tor Client   |        Version:         
 Keywords:               |         Parent:         
   Points:               |   Actualpoints:         
-------------------------+--------------------------------------------------

Comment(by rransom):

 Replying to [comment:2 cypherpunks]:
 > There are a lot of places in the code where memcmp() is called on memory
 buffers that look like they might contain various hashes or digests:

 Applying memcmp to a hash or digest is not normally a problem.  memcmp is
 only dangerous when applied to a MAC, password, or other secret value
 which the attacker can attempt to guess one byte at a time.

 There are a few cases where we pretend that a hash value of non-secret
 information is hard for an attacker to guess, most notably in our bridge
 design where anyone who knows the hash of a published bridge's identity
 public key can use that hash to retrieve the bridge's descriptor from the
 bridge authority, but the correct fix for that type of security hole is to
 stop using a value that is so easily obtained as a password of any kind.

 > Some cases look particularly concerning. For example, in the following
 code 'handshake_reply' appears to be supplied by the remote party and it
 is compared with something called "key material".
 >
 > src/or/onion.c:331:
 {{{
   if (memcmp(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) {
     /* H(K) does *not* match. Something fishy. */
      log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on onion handshake. "
            "Bug or attack.");
     goto err;
   }
 }}}
 >
 > In the worst-case, the attacker could simply supply different values of
 handshake_reply, observe how long each takes to compare, and figure out
 the value of key_material statistically byte-by-byte.

 Or the attacker could read HK out of the (plaintext) CREATED cell sent by
 the relay, exactly where the client is reading it from.

 HK is a hash of the Diffie-Hellman shared secret between a client and a
 relay, and it is used in exactly two ways in Tor's protocol: for key
 confirmation (the use you are complaining about), and as a replay-
 prevention nonce in the hidden-service protocol.  We know it is public
 information.

 And as nickm just explained, the attacker cannot extract the correct value
 of HK for a handshake from the client using a timing attack on that memcmp
 because the attacker can only test one guess.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3122#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs