mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-23 22:47:12 +01:00
Code Issues Projects Releases Wiki Activity

Note DH security hacks in tor-spec

Browse source 
svn:r4800
This commit is contained in:
Nick Mathewson 2005-08-19 21:55:47 +00:00
parent 8d7dcb9e69
commit 6b04e30dc6
1 changed files with 25 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
doc/tor-spec.txt
View file

@ -233,16 +233,31 @@ TODO: (very soon)
4.2. Setting circuit keys 4.2. Setting circuit keys
Once the handshake between the OP and an OR is completed, both Once the handshake between the OP and an OR is completed, both servers can
servers can now calculate g^xy with ordinary DH. From the base key now calculate g^xy with ordinary DH. Before computing g^xy, both client
material g^xy, they compute derivative key material as follows. and server MUST verify that the received g^x/g^y value is not degenerate;
First, the server represents g^xy as a big-endian unsigned integer. that is, it must be strictly greater than 1 and strictly less than p-1
Next, the server computes 100 bytes of key data as K = SHA1(g^xy | where p is the DH modulus. Implementations MUST NOT complete a handshake
[00]) | SHA1(g^xy | [01]) | ... SHA1(g^xy | [04]) where "00" is with degenerate keys. Implementions MAY discard other "weak" g^x values.
a single octet whose value is zero, [01] is a single octet whose
value is one, etc. The first 20 bytes of K form KH, bytes 21-40 form (Discarding degenerate keys is critical for security; if bad keys are not
the forward digest Df, 41-60 form the backward digest Db, 61-76 form discarded, an attacker can substitute the server's CREATED cell's g^y with
Kf, and 77-92 form Kb. 0 or 1, thus creating a known g^xy and impersonating the server.)
(The mainline Tor implementation discards all g^x values that are less
than 2^24, that are greater than p-2^24, or that have more than 1024-16
identical bits. This constitutes a negligible portion of the keyspace;
the chances of stumbling on such a key at random are astronomically
small. Nevertheless, implementors may wish to make their implementations
discard such keys.)
From the base key material g^xy, they compute derivative key material as
follows. First, the server represents g^xy as a big-endian unsigned
integer. Next, the server computes 100 bytes of key data as K = SHA1(g^xy
| [00]) | SHA1(g^xy | [01]) | ... SHA1(g^xy | [04]) where "00" is a single
octet whose value is zero, [01] is a single octet whose value is one, etc.
The first 20 bytes of K form KH, bytes 21-40 form the forward digest Df,
41-60 form the backward digest Db, 61-76 form Kf, and 77-92 form Kb.
KH is used in the handshake response to demonstrate knowledge of the KH is used in the handshake response to demonstrate knowledge of the
computed shared key. Df is used to seed the integrity-checking hash computed shared key. Df is used to seed the integrity-checking hash