[tor-dev] Proposal 193: Safe cookie authentication

Robert Ransom rransom.8774 at gmail.com
Thu Feb 9 23:02:21 UTC 2012

I've pushed a revised protocol change to branch safecookie of
git.tpo/rransom/torspec.git, and a (messy, needs rebase,
untested) implementation to branch safecookie-023 of

Now, the client and server nonces are fed to the same HMAC
invocation, so that the client can believe (modulo Merkle-Damgard
and general iterative hash function ‘features’) that the server
knows the cookie (rather than just HMAC(constant, cookie)).

Almost all controllers must drop almost all support for non-safe
cookie authentication ASAP, because a compromised system-wide Tor
process could drop a symlink to /home/rransom/.ed25519-secret-key in
where it was supposed to put a cookie file.

The sole exception to ‘non-safe cookie authentication must die’ is
when a controller knows that it is connected to a server process with
equal or greater access to the same filesystem it has access to.  In
practice, this means ‘only if you're completely sure that Tor is
running in the same user account as the controller, and you're
completely sure that you're connected to Tor’, and no controller is
sure of either of those.

Robert Ransom

More information about the tor-dev mailing list