[tor-bugs] #17694 [Tor]: Hash PRNG output before use, so that it's not revealed to the network

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 8 13:57:39 UTC 2015 

#17694: Hash PRNG output before use, so that it's not revealed to the network
-------------------------+------------------------------------
 Reporter:  teor         |          Owner:
     Type:  enhancement  |         Status:  needs_information
 Priority:  Medium       |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor          |        Version:  Tor: unspecified
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+------------------------------------

Comment (by nickm):

 Replying to [comment:5 ioerror]:
 > I asked a cryptographer sitting next to me and they suggested that my
 suggested approach is reasonable. Hash the PRNG output. Or more directly:
 "Never reveal pure randomness outputs."

 Could you ask the cryptographer to jabber or IRC or email me quickly or
 something? I don't think the reasoning makes sense in this case, for a few
 of reasons:

   1) We know what the PRNG is.
   2) OpenSSL already exposes the PRNG outputs (in ClientHello and
 ServerHello, at least), and we can't stop it from doing that without
 replacing the PRNG.
   3) The PRNG is under our control. The answer to a questionable PRNG
 would seem to be replacing it with a non-broken PRNG.

 > For example, what happens when someone uses RDRAND internally?

 We detect attempts to replace the OpenSSL PRNG with the RDRAND engine, or
 any other engine; see #10402.

 > In theory, nothing in our stack does that; in practice, I guess that is
 incorrect. Something in the kernel, for example? Some weird OpenSSL builds
 or something?
 >
 > Not to say that RDRAND is backdoored but that if it was, I think a hash
 would prevent what we currently understand to be a way to exploit a Dual-
 EC like backdoor.

 It would only prevent it if openssl itself stopped exposing direct
 outputs, right?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17694#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list