[tor-dev] Proposal 222: Stop sending client timestamps
Nick Mathewson
nickm at alum.mit.edu
Thu Aug 22 16:45:36 UTC 2013
On Thu, Aug 22, 2013 at 12:33 PM, George Kadianakis
<desnacked at riseup.net> wrote:
[...]
>> 2.2. AUTHENTICATE (server)
>>
>> The AUTHENTICATE cell is not ordinarily sent by clients. It
>> contains an 8-byte timestamp and a 16-byte random value.
>> Instead, let's replace both with a 24-byte (truncated) HMAC of
>> the current time, using a random key.
>>
>> This will achieve the goal of including a timestamp in the
>> cell (preventing replays even in the presence of bad entropy),
>> while at the same time not including the time here.
>>
>
> Hey Nick,
>
> how does the client verify the contents of the AUTHENTICATE cell
> (including the timestamp), if the timestamp is encrypted with a random
> key?
Two points and a real answer. The two points first:
* The authenticate cell is sent from a server initiator to a server
responder. Clients never get them, and never verify them.
* HMAC isn't encryption. :)
The real answer:
* The contents of the timestamp are never actually checked; the
protocol only includes a timestamp there in a voodoo-like imitation of
the ClientRandom field. The requirement is that there be _something_
in this position, and that the entire AUTHENTICATE cell be correctly
signed.
--
Nick
More information about the tor-dev
mailing list