[tor-bugs] #8121 [Tor]: IA-32 Tor users with NaCl may be distinguishable from others
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 31 19:11:02 UTC 2013
#8121: IA-32 Tor users with NaCl may be distinguishable from others
----------------------+-----------------------------------------------------
Reporter: rransom | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------+-----------------------------------------------------
curve25519-donna and curve25519-donna-c64 make no special effort to retain
the high bit of a public-key coordinate-field element.
The ref implementation in NaCl makes no special effort to clear it.
(Fortunately, Tor refuses to use this one.)
The non-free athlon implementation in NaCl is an unreadable blob with no
source code in sight, and I don't have a 32-bit environment to test it in
handy, but a web page documenting an earlier version of that
implementation ([http://cr.yp.to/ecdh.html#validate]) seems to imply that
the high bit is considered part of the coordinate-field element. If this
is true, it's an anonymity issue for Tor users who use the ntor handshake.
The donna_c64 implementation in NaCl has the same behaviour as the
curve25519-donna-c64 implementation shipped with Tor.
Tor must either clear the high bit of every Curve25519 public key it uses,
or reduce every Curve25519 public key modulo the field order (the former
is easier and consistent with the behaviour of the free Curve25519
implementations shipped in the Tor source package).
(It appears that a relay can only exploit this by causing a user's
handshake to fail, but it's still an anonymity bug.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8121>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list