[tor-dev] v3 hidden services: inconsistencies between spec and implementation

teor teor2345 at gmail.com
Sat Oct 28 21:27:49 UTC 2017


On 29 Oct 2017, at 01:30, George Kadianakis <desnacked at riseup.net> wrote:

>> # 220-ecc-ids-keys.txt

Is this the latest version of the ECC ID specification?
Usually, our proposals are integrated into the main spec documents
after they are implemented.

>> # 2.1
>> 
>> * 'The signature is formed by signing the first N-64 bytes of the
>>  certificate prefixed with the string "Tor node signing key certificate
>>  v1".' I found this to be false; the signatures only validate without
>>  the string prefix.
>> 
> 
> Ouch... I think we should edit the spec and consider if there are any
> security risks here.

One security risk is that signatures on these certificates are re-usable
in other contexts. For example, if two different parts of the Tor code
believe signed certificates without prefixes, an adversary can take a
certificate signed for one of them, and pass it to the other.

>> ## A.1
>> 
>> * I realized that the certificate types here are outdated. The
>>  signing-key extension is listed as type [04], when in rend-spec-v3.txt
>>  and the C implementation it is type [08].
> 
> Let's fix the spec here too...

This should definitely be integrated into one of the main specs.

T


More information about the tor-dev mailing list