[tor-bugs] #7202 [Tor]: Implement ntor handshake or its successor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 13 18:44:26 UTC 2012
#7202: Implement ntor handshake or its successor
--------------------------------+-------------------------------------------
Reporter: karsten | Owner:
Type: project | Status: needs_revision
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: SponsorZ tor-relay | Parent:
Points: | Actualpoints:
--------------------------------+-------------------------------------------
Changes (by rransom):
* status: needs_review => needs_revision
Comment:
From
[https://gitweb.torproject.org/nickm/tor.git/commitdiff/af175dbe07d3fd712c8d7cf232d6715a55b8580d
commit af175dbe07d3fd712c8d7cf232d6715a55b8580d]:
{{{
+ /* NOTE: If we ever use a curve other than curve25519, we'll need to
include
+ * a check for Y's validity as a public key, or the handshake won't be
+ * secure. We MAY need to check other public keys too; see the ntor
paper. */
}}}
If you ever use a point-reduced Montgomery-form curve over a prime-order
coordinate field whose ‘quadratic twist’ has smooth order, you need to
check '''X''' (the client's ephemeral public key) for validity (to avoid
leaking b). Anyone who can feed a malformed Y to a client (a) won't learn
bits of a long-term secret and (b) was already able to compute b*X, and
thus could have impersonated the server using a properly generated Y
anyway.
Some other curve representations (e.g. twisted Edwards form, as used in
Ed25519) do require that both parties check all public keys for curve
membership, but testing for subgroup membership (the really expensive
test) can still be avoided by choosing private keys appropriately.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7202#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list