[tor-bugs] #17694 [Tor]: Hash PRNG output before use, so that it's not revealed to the network
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 9 02:16:30 UTC 2015
#17694: Hash PRNG output before use, so that it's not revealed to the network
-------------------------+------------------------------------
Reporter: teor | Owner:
Type: enhancement | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+------------------------------------
Comment (by yawning):
Replying to [comment:14 teor]:
> Depending on how it's implemented, the hashing has a performance cost of
about -40% (if we hash an entire buffer, then use it for multiple small
random calls) to +30% on Tor's typical input sizes.
For the former case, that reads suspiciously like "re-implement libottery
as a Hash_DRBG", sitting on top of another hash based CSPRNG (OpenSSL's).
> > IMO that point now has been reached. Others are free to disagree with
me.
>
> To be clear, I'm agnostic on hashing PRNG output. But if we want to
prevent leaking PRNG bits, we should hash all the bits that could be sent
out from or be observed from outside the process.
I'm mostly agnostic here. I think anything more than what nickm's branch
does warrants re-evaluating why we are doing this, and if there's a way to
get what we want efficiently (since RAND_bytes() is hashing entropy from
the system entropy source. I'm not convinced that's not good enough, at
all.).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17694#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list