tor/changes/replay-firstpart

  o Minor features (security):

    - Check for replays of the public-key encrypted portion of an
      INTRODUCE1 cell, in addition to the current check for replays of
      the g^x value.  This prevents a possible class of active attacks
      by an attacker who controls both an introduction point and a
      rendezvous point, and who uses the malleability of AES-CTR to
      alter the encrypted g^x portion of the INTRODUCE1 cell.  We
      think that these attacks is infeasible (requiring the attacker
      to send on the order of zettabytes of altered cells in a short
      interval), but we'd rather block them off in case there are any
      classes of this attack that we missed.  Reported by dvorak.
Check for replays in PK-encrypted part of intro cell, not just in the g^x value 2011-05-11 03:40:10 +02:00			`o Minor features (security):`

			`- Check for replays of the public-key encrypted portion of an`
			`INTRODUCE1 cell, in addition to the current check for replays of`
			`the g^x value. This prevents a possible class of active attacks`
			`by an attacker who controls both an introduction point and a`
			`rendezvous point, and who uses the malleability of AES-CTR to`
			`alter the encrypted g^x portion of the INTRODUCE1 cell. We`
			`think that these attacks is infeasible (requiring the attacker`
			`to send on the order of zettabytes of altered cells in a short`
			`interval), but we'd rather block them off in case there are any`
			`classes of this attack that we missed. Reported by dvorak.`