[tor-dev] Proposal 193: Safe cookie authentication

[Robert Ransom]

I've pushed a revised protocol change to branch safecookie of
git.tpo/rransom/torspec.git, and a (messy, needs rebase,
untested) implementation to branch safecookie-023 of
git.tpo/rransom/tor.git.

Now, the client and server nonces are fed to the same HMAC
invocation, so that the client can believe (modulo Merkle-Damgard
and general iterative hash function ‘features’) that the server
knows the cookie (rather than just HMAC(constant, cookie)).

Almost all controllers must drop almost all support for non-safe
cookie authentication ASAP, because a compromised system-wide Tor
process could drop a symlink to /home/rransom/.ed25519-secret-key in
where it was supposed to put a cookie file.

The sole exception to ‘non-safe cookie authentication must die’ is
when a controller knows that it is connected to a server process with
equal or greater access to the same filesystem it has access to.  In
practice, this means ‘only if you're completely sure that Tor is
running in the same user account as the controller, and you're
completely sure that you're connected to Tor’, and no controller is
sure of either of those.


Robert Ransom