[tor-bugs] #17694 [Tor]: Hash PRNG output before use, so that it's not revealed to the network
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 9 01:29:39 UTC 2015
#17694: Hash PRNG output before use, so that it's not revealed to the network
-------------------------+------------------------------------
Reporter: teor | Owner:
Type: enhancement | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+------------------------------------
Comment (by teor):
Replying to [comment:13 yawning]:
> Replying to [comment:12 teor]:
> > I don't think this achieves the overall goal: "make sure we never leak
raw PRNG output to the network".
> >
> > We can easily leak raw PRNG output via salts, nonces and other
randomly chosen values that are sent on the wire.
> >
> > Even our "random" choices of relays could leak some bits.
>
> At some point this becomes rather silly, not to mention expensive, to
the point where "We should ditch OpenSSL's CSPRNG, if we don't trust it if
state gets exposed somehow instead of always passing output through extra
hash functions" becomes compelling.
Depending on how it's implemented, the hashing has a performance cost of
about -40% (if we hash an entire buffer, then use it for multiple small
random calls) to +30% on Tor's typical input sizes.
>
> IMO that point now has been reached. Others are free to disagree with
me.
To be clear, I'm agnostic on hashing PRNG output. But if we want to
prevent leaking PRNG bits, we should hash all the bits that could be sent
out from or be observed from outside the process.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17694#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list