[or-cvs] we are constrained more than we realized, on what g^x value...

[arma at seul.org]

Update of /home2/or/cvsroot/tor/doc
In directory moria:/home/arma/work/onion/cvs/tor/doc

Modified Files:
	tor-spec.txt 
Log Message:
we are constrained more than we realized, on what g^x values we can
accept or refuse.


Index: tor-spec.txt
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/tor-spec.txt,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -p -d -r1.121 -r1.122
--- tor-spec.txt	17 Jul 2006 06:20:09 -0000	1.121
+++ tor-spec.txt	17 Jul 2006 06:26:19 -0000	1.122
@@ -302,11 +302,14 @@ when do we rotate which keys (tls, link,
    and server MUST verify that the received g^x or g^y value is not degenerate;
    that is, it must be strictly greater than 1 and strictly less than p-1
    where p is the DH modulus.  Implementations MUST NOT complete a handshake
-   with degenerate keys.  Implementations MAY discard other "weak" g^x values.
+   with degenerate keys.  Implementations MUST NOT discard other "weak"
+   g^x values.
 
-   (Discarding degenerate keys is critical for security; if bad keys are not
-   discarded, an attacker can substitute the server's CREATED cell's g^y with
-   0 or 1, thus creating a known g^xy and impersonating the server.)
+   (Discarding degenerate keys is critical for security; if bad keys
+   are not discarded, an attacker can substitute the server's CREATED
+   cell's g^y with 0 or 1, thus creating a known g^xy and impersonating
+   the server. Discarding other keys may allow attacks to learn bits of
+   the private key.)
 
    (The mainline Tor implementation, in the 0.1.1.x-alpha series, discarded
    all g^x values less than 2^24, greater than p-2^24, or having more than