diff options
| author | Nick Mathewson <nickm@torproject.org> | 2017-09-19 10:32:14 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2017-09-19 10:32:14 -0400 |
| commit | 4be7ff5ce84183604b717cad75d1157393e4e747 (patch) | |
| tree | 17b21a03a51db97444a58c04905cd9c7d0596a8f /proposals/224-rend-spec-ng.txt | |
| parent | 1cda024edf1501f23d639a40965602205ab300bb (diff) | |
| parent | 210e19d61b8596a4437f606ba3424238fcfc02d0 (diff) | |
| download | torspec-4be7ff5ce84183604b717cad75d1157393e4e747.tar.gz torspec-4be7ff5ce84183604b717cad75d1157393e4e747.zip | |
Merge remote-tracking branch 'asn/bug22743'
Diffstat (limited to 'proposals/224-rend-spec-ng.txt')
| -rw-r--r-- | proposals/224-rend-spec-ng.txt | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt index 93cc0c6..9c8b77e 100644 --- a/proposals/224-rend-spec-ng.txt +++ b/proposals/224-rend-spec-ng.txt @@ -972,6 +972,27 @@ Table of contents: These requests must be made anonymously, on circuits not used for anything else. +2.2.7. Client-side validation of onion addresses + + When a Tor client receives a prop224 onion address from the user, it should + validate the onion address before attempting to connect or fetch its + descriptor. + + As part of the address validation, Tor clients should check that the + underlying ed25519 key does not have a torsion component. If Tor accepted + ed25519 keys with torsion components, attackers could create multiple + equivalent onion addresses for a single ed25519 key, which would map to the + same service. We want to avoid that because it could lead to phishing + attacks and surprising behaviors (e.g. imagine a browser plugin that blocks + onion addresses, but could be bypassed using an equivalent onion address + with a torsion component). + + The right way for clients to detect such fraudulent addresses (which should + only occur malevolently and never natutally) is to extract the ed25519 + public key from the onion address and multiply it by the ed25519 group order + and ensure that the result is the ed25519 identity element. For more + details, please see [TORSION-REFS]. + 2.3. Publishing shared random values [PUB-SHAREDRANDOM] Our design for limiting the predictability of HSDir upload locations @@ -2074,6 +2095,10 @@ References: [ONIONADDRESS-REFS]: https://lists.torproject.org/pipermail/tor-dev/2017-January/011816.html +[TORSION-REFS]: + https://lists.torproject.org/pipermail/tor-dev/2017-April/012164.html + https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html + Appendix A. Signature scheme with key blinding [KEYBLIND] A.1. Key derivation overview |