[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] Note DH security hacks in tor-spec
Update of /home/or/cvsroot/tor/doc
In directory moria:/tmp/cvs-serv11750/doc
Modified Files:
tor-spec.txt
Log Message:
Note DH security hacks in tor-spec
Index: tor-spec.txt
===================================================================
RCS file: /home/or/cvsroot/tor/doc/tor-spec.txt,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -d -r1.90 -r1.91
--- tor-spec.txt 8 Jul 2005 15:42:03 -0000 1.90
+++ tor-spec.txt 19 Aug 2005 21:55:47 -0000 1.91
@@ -233,16 +233,31 @@
4.2. Setting circuit keys
- Once the handshake between the OP and an OR is completed, both
- servers can now calculate g^xy with ordinary DH. From the base key
- material g^xy, they compute derivative key material as follows.
- First, the server represents g^xy as a big-endian unsigned integer.
- Next, the server computes 100 bytes of key data as K = SHA1(g^xy |
- [00]) | SHA1(g^xy | [01]) | ... SHA1(g^xy | [04]) where "00" is
- a single octet whose value is zero, [01] is a single octet whose
- value is one, etc. The first 20 bytes of K form KH, bytes 21-40 form
- the forward digest Df, 41-60 form the backward digest Db, 61-76 form
- Kf, and 77-92 form Kb.
+ Once the handshake between the OP and an OR is completed, both servers can
+ now calculate g^xy with ordinary DH. Before computing g^xy, both client
+ and server MUST verify that the received g^x/g^y value is not degenerate;
+ that is, it must be strictly greater than 1 and strictly less than p-1
+ where p is the DH modulus. Implementations MUST NOT complete a handshake
+ with degenerate keys. Implementions MAY discard other "weak" g^x values.
+
+ (Discarding degenerate keys is critical for security; if bad keys are not
+ discarded, an attacker can substitute the server's CREATED cell's g^y with
+ 0 or 1, thus creating a known g^xy and impersonating the server.)
+
+ (The mainline Tor implementation discards all g^x values that are less
+ than 2^24, that are greater than p-2^24, or that have more than 1024-16
+ identical bits. This constitutes a negligible portion of the keyspace;
+ the chances of stumbling on such a key at random are astronomically
+ small. Nevertheless, implementors may wish to make their implementations
+ discard such keys.)
+
+ From the base key material g^xy, they compute derivative key material as
+ follows. First, the server represents g^xy as a big-endian unsigned
+ integer. Next, the server computes 100 bytes of key data as K = SHA1(g^xy
+ | [00]) | SHA1(g^xy | [01]) | ... SHA1(g^xy | [04]) where "00" is a single
+ octet whose value is zero, [01] is a single octet whose value is one, etc.
+ The first 20 bytes of K form KH, bytes 21-40 form the forward digest Df,
+ 41-60 form the backward digest Db, 61-76 form Kf, and 77-92 form Kb.
KH is used in the handshake response to demonstrate knowledge of the
computed shared key. Df is used to seed the integrity-checking hash