we are constrained more than we realized, on what g^x values we can

accept or refuse. svn:r6773
2024-09-21 05:26:20 +02:00 · 2006-07-17 06:26:19 +00:00 · 2006-07-17 06:26:19 +00:00 · 8868830ac5
commit 8868830ac5
parent fc7c32da8a
1 changed files with 7 additions and 4 deletions
--- a/doc/tor-spec.txt
+++ b/doc/tor-spec.txt
@ -302,11 +302,14 @@ when do we rotate which keys (tls, link, etc)?
   and server MUST verify that the received g^x or g^y value is not degenerate;
   that is, it must be strictly greater than 1 and strictly less than p-1
   where p is the DH modulus.  Implementations MUST NOT complete a handshake
-   with degenerate keys.  Implementations MAY discard other "weak" g^x values.
+   with degenerate keys.  Implementations MUST NOT discard other "weak"
+   g^x values.

-   (Discarding degenerate keys is critical for security; if bad keys are not
-   discarded, an attacker can substitute the server's CREATED cell's g^y with
-   0 or 1, thus creating a known g^xy and impersonating the server.)
+   (Discarding degenerate keys is critical for security; if bad keys
+   are not discarded, an attacker can substitute the server's CREATED
+   cell's g^y with 0 or 1, thus creating a known g^xy and impersonating
+   the server. Discarding other keys may allow attacks to learn bits of
+   the private key.)

   (The mainline Tor implementation, in the 0.1.1.x-alpha series, discarded
   all g^x values less than 2^24, greater than p-2^24, or having more than