[tor-commits] [torspec/master] prop224: Specify and motivate client-side address validation.

nickm at torproject.org nickm at torproject.org
Tue Sep 19 14:33:01 UTC 2017


commit 210e19d61b8596a4437f606ba3424238fcfc02d0
Author: George Kadianakis <desnacked at riseup.net>
Date:   Tue Sep 19 17:25:33 2017 +0300

    prop224: Specify and motivate client-side address validation.
    
    Also see #23019 for the code patch.
---
 proposals/224-rend-spec-ng.txt | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 8431d45..206ab28 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -972,6 +972,27 @@ Table of contents:
    These requests must be made anonymously, on circuits not used for
    anything else.
 
+2.2.7. Client-side validation of onion addresses
+
+   When a Tor client receives a prop224 onion address from the user, it should
+   validate the onion address before attempting to connect or fetch its
+   descriptor.
+
+   As part of the address validation, Tor clients should check that the
+   underlying ed25519 key does not have a torsion component. If Tor accepted
+   ed25519 keys with torsion components, attackers could create multiple
+   equivalent onion addresses for a single ed25519 key, which would map to the
+   same service. We want to avoid that because it could lead to phishing
+   attacks and surprising behaviors (e.g. imagine a browser plugin that blocks
+   onion addresses, but could be bypassed using an equivalent onion address
+   with a torsion component).
+
+   The right way for clients to detect such fraudulent addresses (which should
+   only occur malevolently and never natutally) is to extract the ed25519
+   public key from the onion address and multiply it by the ed25519 group order
+   and ensure that the result is the ed25519 identity element. For more
+   details, please see [TORSION-REFS].
+
 2.3. Publishing shared random values [PUB-SHAREDRANDOM]
 
    Our design for limiting the predictability of HSDir upload locations
@@ -2087,6 +2108,10 @@ References:
 [ONIONADDRESS-REFS]:
         https://lists.torproject.org/pipermail/tor-dev/2017-January/011816.html
 
+[TORSION-REFS]:
+        https://lists.torproject.org/pipermail/tor-dev/2017-April/012164.html
+        https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
+
 Appendix A. Signature scheme with key blinding [KEYBLIND]
 
 A.1. Key derivation overview





More information about the tor-commits mailing list