#3460 [Tor Hidden Services]: Replay-detection window for HS INTRODUCE2 cells causes HS reachability failures

Mon Oct 17 11:08:26 UTC 2011

#3460: Replay-detection window for HS INTRODUCE2 cells causes HS reachability
Changes (by rransom):

  milestone:  Tor: 0.2.3.x-final => Tor: 0.2.2.x-final


 My plan for how to fix this no longer involves expanding the replay-
 detection window, even on 0.2.2.x.

 The Right Thing is to split our current 60-minute per-hidden-service (at
 least I hope it's per-HS) replay-detection cache (which handles both
 clients' DH public keys and the RSA-encrypted portions of INTRODUCE2
 cells) into a per-HS DH public key replay cache that only holds entries
 for five minutes, purely as a performance improvement (so we continue to
 not launch multiple attempts to connect to a single rendezvous point), and
 a per-intro-point replay cache that holds the non-malleable part of the
 INTRODUCE2 message for the lifetime of the intro point, to provide
 security against replay attacks.

 The easiest way to limit the size of the per-intro-point replay cache will
 be to limit the number of INTRODUCE2 cells sent to each intro point before
 it is replaced.

 I'm setting this ticket back to 0.2.2.x, because the scary part of this
 change will be making intro points expire after a while, and we need to
 apply that to 0.2.2.x in order to fix the service-side part of #3825.

