[or-cvs] we are constrained more than we realized, on what g^x value...
arma at seul.org
arma at seul.org
Mon Jul 17 06:26:21 UTC 2006
Update of /home2/or/cvsroot/tor/doc
In directory moria:/home/arma/work/onion/cvs/tor/doc
we are constrained more than we realized, on what g^x values we can
accept or refuse.
RCS file: /home2/or/cvsroot/tor/doc/tor-spec.txt,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -p -d -r1.121 -r1.122
--- tor-spec.txt 17 Jul 2006 06:20:09 -0000 1.121
+++ tor-spec.txt 17 Jul 2006 06:26:19 -0000 1.122
@@ -302,11 +302,14 @@ when do we rotate which keys (tls, link,
and server MUST verify that the received g^x or g^y value is not degenerate;
that is, it must be strictly greater than 1 and strictly less than p-1
where p is the DH modulus. Implementations MUST NOT complete a handshake
- with degenerate keys. Implementations MAY discard other "weak" g^x values.
+ with degenerate keys. Implementations MUST NOT discard other "weak"
+ g^x values.
- (Discarding degenerate keys is critical for security; if bad keys are not
- discarded, an attacker can substitute the server's CREATED cell's g^y with
- 0 or 1, thus creating a known g^xy and impersonating the server.)
+ (Discarding degenerate keys is critical for security; if bad keys
+ are not discarded, an attacker can substitute the server's CREATED
+ cell's g^y with 0 or 1, thus creating a known g^xy and impersonating
+ the server. Discarding other keys may allow attacks to learn bits of
+ the private key.)
(The mainline Tor implementation, in the 0.1.1.x-alpha series, discarded
all g^x values less than 2^24, greater than p-2^24, or having more than
More information about the tor-commits