[or-cvs] Add some DH clarifications

Nick Mathewson nickm at seul.org
Thu Nov 17 18:14:31 UTC 2005


Update of /home/or/cvsroot/tor/doc
In directory moria:/tmp/cvs-serv29278/doc

Modified Files:
	tor-spec.txt 
Log Message:
Add some DH clarifications

Index: tor-spec.txt
===================================================================
RCS file: /home/or/cvsroot/tor/doc/tor-spec.txt,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -d -r1.101 -r1.102
--- tor-spec.txt	17 Nov 2005 09:55:44 -0000	1.101
+++ tor-spec.txt	17 Nov 2005 18:14:29 -0000	1.102
@@ -32,8 +32,8 @@
 
    Unless otherwise specified, all symmetric ciphers are AES in counter
    mode, with an IV of all 0 bytes.  Asymmetric ciphers are either RSA
-   with 1024-bit keys and exponents of 65537, or DH where the generator
-   is 2 and the modulus is the 1024-bit safe prime from rfc2409,
+   with 1024-bit keys and exponents of 65537, or DH where the generator (g)
+   is 2 and the modulus (p) is the 1024-bit safe prime from rfc2409,
    section 6.2, whose hex representation is:
 
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
@@ -42,6 +42,10 @@
      "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      "49286651ECE65381FFFFFFFFFFFFFFFF"
 
+   As an optimization, implementations SHOULD choose DH private keys (x) of
+   320 bits.  Implementations that do this MUST never use any DH key more
+   than once.
+
    All "hashes" are 20-byte SHA1 cryptographic digests.
 
    When we refer to "the hash of a public key", we mean the SHA1 hash of the
@@ -239,7 +243,7 @@
 
    Once the handshake between the OP and an OR is completed, both servers can
    now calculate g^xy with ordinary DH.  Before computing g^xy, both client
-   and server MUST verify that the received g^x/g^y value is not degenerate;
+   and server MUST verify that the received g^x or g^y value is not degenerate;
    that is, it must be strictly greater than 1 and strictly less than p-1
    where p is the DH modulus.  Implementations MUST NOT complete a handshake
    with degenerate keys.  Implementions MAY discard other "weak" g^x values.
@@ -248,12 +252,10 @@
    discarded, an attacker can substitute the server's CREATED cell's g^y with
    0 or 1, thus creating a known g^xy and impersonating the server.)
 
-   (The mainline Tor implementation discards all g^x values that are less
-   than 2^24, that are greater than p-2^24, or that have more than 1024-16
-   identical bits.  This constitutes a negligible portion of the keyspace;
-   the chances of stumbling on such a key at random are astronomically
-   small.  Nevertheless, implementors may wish to make their implementations
-   discard such keys.)
+   (The mainline Tor implementation, in the 0.1.1.x-alpha series, also
+   discarded all g^x values that are less than 2^24, that are greater than
+   p-2^24, or that have more than 1024-16 identical bits.  This serves no
+   useful purpose, and will probably stop soon.)
 
    From the base key material g^xy, they compute derivative key material as
    follows.  First, the server represents g^xy as a big-endian unsigned



More information about the tor-commits mailing list