[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] prop224: Deprecating SHA1 circuit digests



> On 22 Jul 2017, at 00:07, David Goulet <dgoulet@xxxxxxxxx> wrote:
> 
> On 22 Jul (00:02:33), teor wrote:
>> Hi all,
>> 
>> At the moment, Tor uses SHA1 for the running digests of circuit cell
>> payloads.
>> 
>> Some of the prop224 code seems to use SHA256 for the digests for
>> client to service rendezvous circuits. But that's not in the spec yet
>> (see #22995 at [0]).
> 
> That is not accurate. It uses SHA3, notice DIGEST_SHA3_256 in
> circuit_init_cpath_crypto():
> 
>  if (is_hs_v3) {
>    digest_len = DIGEST256_LEN;
>    cipher_key_len = CIPHER256_KEY_LEN;
>    cpath->f_digest = crypto_digest256_new(DIGEST_SHA3_256);
>    cpath->b_digest = crypto_digest256_new(DIGEST_SHA3_256);
>  }  ...

Oops, missed the "3".

We still need to think about how we migrate hashes, because all hashes
break eventually:
https://valerieaurora.org/hash.html

And I am concerned that we might be hard-coding either SHA1 or SHA3-256
in the v3 hidden service protocol.

The following handshakes depend on version information in the HSv3 protocol:
* client to intro,
* service to rend, and
* client to service.
They can't use version information from the consensus.

I've opened a ticket for this:

https://trac.torproject.org/projects/tor/ticket/23010

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------



Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev