Browse Source

Add some DH clarifications

svn:r5411
Nick Mathewson 20 years ago
parent
commit
24ea1b3673
1 changed files with 11 additions and 9 deletions
  1. 11 9
      doc/tor-spec.txt

+ 11 - 9
doc/tor-spec.txt

@@ -32,8 +32,8 @@ when do we rotate which keys (tls, link, etc)?
 
 
    Unless otherwise specified, all symmetric ciphers are AES in counter
    Unless otherwise specified, all symmetric ciphers are AES in counter
    mode, with an IV of all 0 bytes.  Asymmetric ciphers are either RSA
    mode, with an IV of all 0 bytes.  Asymmetric ciphers are either RSA
-   with 1024-bit keys and exponents of 65537, or DH where the generator
-   is 2 and the modulus is the 1024-bit safe prime from rfc2409,
+   with 1024-bit keys and exponents of 65537, or DH where the generator (g)
+   is 2 and the modulus (p) is the 1024-bit safe prime from rfc2409,
    section 6.2, whose hex representation is:
    section 6.2, whose hex representation is:
 
 
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
      "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
@@ -42,6 +42,10 @@ when do we rotate which keys (tls, link, etc)?
      "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
      "49286651ECE65381FFFFFFFFFFFFFFFF"
      "49286651ECE65381FFFFFFFFFFFFFFFF"
 
 
+   As an optimization, implementations SHOULD choose DH private keys (x) of
+   320 bits.  Implementations that do this MUST never use any DH key more
+   than once.
+
    All "hashes" are 20-byte SHA1 cryptographic digests.
    All "hashes" are 20-byte SHA1 cryptographic digests.
 
 
    When we refer to "the hash of a public key", we mean the SHA1 hash of the
    When we refer to "the hash of a public key", we mean the SHA1 hash of the
@@ -239,7 +243,7 @@ connected at a different place. anything else? -RD]
 
 
    Once the handshake between the OP and an OR is completed, both servers can
    Once the handshake between the OP and an OR is completed, both servers can
    now calculate g^xy with ordinary DH.  Before computing g^xy, both client
    now calculate g^xy with ordinary DH.  Before computing g^xy, both client
-   and server MUST verify that the received g^x/g^y value is not degenerate;
+   and server MUST verify that the received g^x or g^y value is not degenerate;
    that is, it must be strictly greater than 1 and strictly less than p-1
    that is, it must be strictly greater than 1 and strictly less than p-1
    where p is the DH modulus.  Implementations MUST NOT complete a handshake
    where p is the DH modulus.  Implementations MUST NOT complete a handshake
    with degenerate keys.  Implementions MAY discard other "weak" g^x values.
    with degenerate keys.  Implementions MAY discard other "weak" g^x values.
@@ -248,12 +252,10 @@ connected at a different place. anything else? -RD]
    discarded, an attacker can substitute the server's CREATED cell's g^y with
    discarded, an attacker can substitute the server's CREATED cell's g^y with
    0 or 1, thus creating a known g^xy and impersonating the server.)
    0 or 1, thus creating a known g^xy and impersonating the server.)
 
 
-   (The mainline Tor implementation discards all g^x values that are less
-   than 2^24, that are greater than p-2^24, or that have more than 1024-16
-   identical bits.  This constitutes a negligible portion of the keyspace;
-   the chances of stumbling on such a key at random are astronomically
-   small.  Nevertheless, implementors may wish to make their implementations
-   discard such keys.)
+   (The mainline Tor implementation, in the 0.1.1.x-alpha series, also
+   discarded all g^x values that are less than 2^24, that are greater than
+   p-2^24, or that have more than 1024-16 identical bits.  This serves no
+   useful purpose, and will probably stop soon.)
 
 
    From the base key material g^xy, they compute derivative key material as
    From the base key material g^xy, they compute derivative key material as
    follows.  First, the server represents g^xy as a big-endian unsigned
    follows.  First, the server represents g^xy as a big-endian unsigned