About the key derivation algorithm used in the Control Port password authentication
Although several parts of Tor have been redesigned and upgraded over many years, the algorithm for the HashedControlPassword still remained the same. It still uses SHA-1 as the basis of the OpenPGP S2K algorithm, despite the fact that the algorithm has long-since been obsolete by newer and better hashing algorithms (on top of it, has had some practical collision attacks[1]). This is made worse by the fact that the S2K algorithm is not iterative (in the sense of recursive hashing), but rather repeats the salt+password many times in the hash digest until it reaches a certain amount of bytes. Theoretically, an attacker can expose this to autheticate into a Tor Control Port without having to know the password. Are there any plans to revamp the algorithm for newer Tor versions? [1]: https://shattered.io/
On 01/03/2025 17.33, techmetx11 via tor-dev wrote:
Are there any plans to revamp the algorithm for newer Tor versions?
I don't think so. All the focus right now is on getting Arti into a state where it can replace all of Tor's current usage. Arti has just gotten an RPC layer that we hope to get feedback on from integrators. C Tor is in a development mode right now where we mostly fix things that are needed for the Tor Network (relays, and tooling around relays), and features/removal of features that makes it easier to implement our protocols for Arti. As the ControlPort is generally only used on local machines, I doubt this is something that we will want to fix. Cheers, Alex -- Alexander Hansen Færøy
participants (2)
-
Alexander Hansen Færøy -
techmetx11