[tor-bugs] #7098 [Tor]: Add safe-cookie authentication to Extended ORPort and TransportControlPort

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 19 16:21:17 UTC 2012


#7098: Add safe-cookie authentication to Extended ORPort and TransportControlPort
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                    
     Type:  defect      |         Status:  needs_review      
 Priority:  normal      |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor         |        Version:                    
 Keywords:  tor-bridge  |         Parent:  #4773             
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by asn):

 Hm, I'm considering replacing:
 {{{
   + ClientHash is computed as:
       HMAC-SHA256("ExtORPort authentication safe cookie client-to-server
 hash",
                   CookieString | ClientNonce | ServerNonce)
 }}}

 with:

 {{{
   + ClientHash is computed as:
       HMAC-SHA256(SHA256(CookieString | ClientNonce | ServerNonce),
                   "ExtORPort authentication safe cookie client-to-server
 hash")
 }}}


 and the same for `ServerHash`. This allows us to use the HMAC construction
 correctly (secret used as the HMAC key).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7098#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list