[tor-dev] prop224: Deprecating SHA1 circuit digests

teor teor2345 at gmail.com
Sun Jul 23 02:08:25 UTC 2017

> On 22 Jul 2017, at 00:07, David Goulet <dgoulet at ev0ke.net> wrote:
> On 22 Jul (00:02:33), teor wrote:
>> Hi all,
>> At the moment, Tor uses SHA1 for the running digests of circuit cell
>> payloads.
>> Some of the prop224 code seems to use SHA256 for the digests for
>> client to service rendezvous circuits. But that's not in the spec yet
>> (see #22995 at [0]).
> That is not accurate. It uses SHA3, notice DIGEST_SHA3_256 in
> circuit_init_cpath_crypto():
>  if (is_hs_v3) {
>    digest_len = DIGEST256_LEN;
>    cipher_key_len = CIPHER256_KEY_LEN;
>    cpath->f_digest = crypto_digest256_new(DIGEST_SHA3_256);
>    cpath->b_digest = crypto_digest256_new(DIGEST_SHA3_256);
>  }  ...

Oops, missed the "3".

We still need to think about how we migrate hashes, because all hashes
break eventually:

And I am concerned that we might be hard-coding either SHA1 or SHA3-256
in the v3 hidden service protocol.

The following handshakes depend on version information in the HSv3 protocol:
* client to intro,
* service to rend, and
* client to service.
They can't use version information from the consensus.

I've opened a ticket for this:



Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
xmpp: teor at torproject dot org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170723/34a2165a/attachment.sig>

More information about the tor-dev mailing list