diff options
author | Roger Dingledine <arma@torproject.org> | 2006-07-17 06:26:19 +0000 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2006-07-17 06:26:19 +0000 |
commit | aae02335aacca1419e79a306a3c725ce8bd0e689 (patch) | |
tree | 1bdbf34498e39f192894318e2b6c8a4a97d4c600 | |
parent | bfe93cdb8377330c5cc62a18b2b965c9f2853846 (diff) | |
download | tor-aae02335aacca1419e79a306a3c725ce8bd0e689.tar.gz tor-aae02335aacca1419e79a306a3c725ce8bd0e689.zip |
we are constrained more than we realized, on what g^x values we can
accept or refuse.
svn:r6773
-rw-r--r-- | trunk/doc/tor-spec.txt | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/trunk/doc/tor-spec.txt b/trunk/doc/tor-spec.txt index f5d9a2c1cf..35b71e00db 100644 --- a/trunk/doc/tor-spec.txt +++ b/trunk/doc/tor-spec.txt @@ -302,11 +302,14 @@ when do we rotate which keys (tls, link, etc)? and server MUST verify that the received g^x or g^y value is not degenerate; that is, it must be strictly greater than 1 and strictly less than p-1 where p is the DH modulus. Implementations MUST NOT complete a handshake - with degenerate keys. Implementations MAY discard other "weak" g^x values. - - (Discarding degenerate keys is critical for security; if bad keys are not - discarded, an attacker can substitute the server's CREATED cell's g^y with - 0 or 1, thus creating a known g^xy and impersonating the server.) + with degenerate keys. Implementations MUST NOT discard other "weak" + g^x values. + + (Discarding degenerate keys is critical for security; if bad keys + are not discarded, an attacker can substitute the server's CREATED + cell's g^y with 0 or 1, thus creating a known g^xy and impersonating + the server. Discarding other keys may allow attacks to learn bits of + the private key.) (The mainline Tor implementation, in the 0.1.1.x-alpha series, discarded all g^x values less than 2^24, greater than p-2^24, or having more than |