[tor-bugs] #17556 [Tor]: Doc or implementation error in NTor handshake

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Nov 8 06:20:40 UTC 2015


#17556: Doc or implementation error in NTor handshake
------------------------+-----------------
     Reporter:  awick   |      Owner:
         Type:  defect  |     Status:  new
     Priority:  Medium  |  Milestone:
    Component:  Tor     |    Version:
     Severity:  Normal  |   Keywords:
Actual Points:          |  Parent ID:
       Points:          |    Sponsor:
------------------------+-----------------
 Either the docs or the implementation seem to be off for the
 implementation of the NTor handshake. Specifically, the docs (in Section
 5.1.4) state:

 `verify = H(secret_input, t_verify)`

 and

 `auth = H(auth_input, t_mac)`

 where `H(x,t)` is defined as `HMAC_SHA256` with message `x` and key `t`.

 Looking into the source code, the implementation of these two is via the
 function `h_tweak`. In all cases, `h_tweak` is called with `h_tweak(input,
 input_length, t_value)`. However, it then calls the underlying hmac
 function with the arguments reversed. This has the effect of redefining
 `verify` as `H(t_verify, secret_input)` and `auth` as `H(t_mac,
 auth_input)`.

 I'm not sure what the security implications of this are, but it is
 confusing. If there is no difference in the security of the result, it'd
 obviously be easier to update the docs. Otherwise, the patch to `h_tweak`
 should be obvious, but it will make handshakes with previous
 implementations fail.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17556>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list