summaryrefslogtreecommitdiff
path: root/changes/replay-firstpart
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2011-05-10 21:40:10 -0400
committerNick Mathewson <nickm@torproject.org>2011-09-09 12:49:47 -0400
commitcb9226bcdb811c6b30fb4bb2b6b06b378ebf0559 (patch)
tree4ec013d496687f5c3c9eace19252b718602fa5ae /changes/replay-firstpart
parentc75ee94ab41e3a76e8159366defe3159614b497c (diff)
downloadtor-cb9226bcdb811c6b30fb4bb2b6b06b378ebf0559.tar.gz
tor-cb9226bcdb811c6b30fb4bb2b6b06b378ebf0559.zip
Check for replays in PK-encrypted part of intro cell, not just in the g^x value
Diffstat (limited to 'changes/replay-firstpart')
-rw-r--r--changes/replay-firstpart13
1 files changed, 13 insertions, 0 deletions
diff --git a/changes/replay-firstpart b/changes/replay-firstpart
new file mode 100644
index 0000000000..f4a7767fb1
--- /dev/null
+++ b/changes/replay-firstpart
@@ -0,0 +1,13 @@
+ o Minor features (security):
+
+ - Check for replays of the public-key encrypted portion of an
+ INTRODUCE1 cell, in addition to the current check for replays of
+ the g^x value. This prevents a possible class of active attacks
+ by an attacker who controls both an introduction point and a
+ rendezvous point, and who uses the malleability of AES-CTR to
+ alter the encrypted g^x portion of the INTRODUCE1 cell. We
+ think that these attacks is infeasible (requiring the attacker
+ to send on the order of zettabytes of altered cells in a short
+ interval), but we'd rather block them off in case there are any
+ classes of this attack that we missed. Reported by dvorak.
+