[torspec/master] prop224: hash raw random bytes before use - tor-commits

20 Nov 2015

commit 93f47f4f4e7614d4b3debfe9b5f3a22bfe5d64b1
Author: teor (Tim Wilson-Brown) teor2345@gmail.com
Date:   Fri Nov 20 11:43:51 2015 +1100
prop224: hash raw random bytes before use
Exposing raw random bytes from a PRNG has broken Dual EC:
    http://projectbullrun.org/dual-ec/ext-rand.html
Based on ioerror's feedback on prop250, make similar changes:
    https://lists.torproject.org/pipermail/tor-dev/2015-November/009954.html
---
 proposals/224-rend-spec-ng.txt |   16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index ad0947c..2aeb05b 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -865,10 +865,13 @@ Status: Draft
The encrypted data has the format:
-       SALT       (random bytes from above)       [16 bytes]
+       H(SALT)    H(random bytes from above)      [16 bytes]
        ENCRYPTED  The plaintext encrypted with S  [variable]
        MAC        MAC of both above fields        [32 bytes]
+   (We hash salt so that we don't leak the raw bytes returned by a PRNG
+   to the network. See [RANDOM-REFS].)
+
    The encryption format is ENCRYPTED =
                STREAM(SECRET_IV,SECRET_KEY) xor Plaintext
@@ -1479,7 +1482,9 @@ Status: Draft
         Pubkey    [32 bytes]
         Signature [64 bytes]
-   Nonce is a random value. Pubkey is the public key that will be used
+   Nonce is a random value. (Noncen should be derived from hashed PRNG
+   output, so that we don't leak the raw bytes returned by a PRNG to the
+   network. See [RANDOM-REFS].) Pubkey is the public key that will be used
    to authenticate. [TODO: should this be an identifier for the public
    key instead?]  Signature is the signature, using Ed25519, of:
@@ -1522,7 +1527,9 @@ Status: Draft
    by the client. The client SHOULD choose a new rendezvous cookie for
    each new connection attempt. If the rendezvous cookie is already in
    use on an existing circuit, the rendezvous point should reject it and
-   destroy the circuit.
+   destroy the circuit. RENDEZVOUS_COOKIE should be derived using hashed
+   PRNG output, so that we don't leak the raw bytes returned by a PRNG
+   to the network. See [RANDOM-REFS].
Upon receiving a ESTABLISH_RENDEZVOUS cell, the rendezvous point
    associates the cookie with the circuit on which it was sent. It
@@ -1639,6 +1646,9 @@ References:
         J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and
         Bo-Yin Yang. http://cr.yp.to/papers.html#ed25519
+[RANDOM-REFS]:
+        http://projectbullrun.org/dual-ec/ext-rand.html
+        https://lists.torproject.org/pipermail/tor-dev/2015-November/009954.html
Appendix A. Signature scheme with key blinding [KEYBLIND]

    