Fix TROVE-2017-009: Replay-cache ineffective for v2 hidden services.
TROVE-2017-009: Replay-cache ineffective for v2 hidden services. SEVERITY: Medium ALSO TRACKED AS: CVE-2017-8819 SUMMARY: There's a possibility for a limited replay attack of INTRODUCE2 cells towards a legacy (v2) onion service. BACKGROUND: The hybrid-encryption algorithm we used for v2 onion services is somewhat malleable. To encrypt the message X to a public key PK, clients generate a random AES key K, and then send RSA-OAEP(K || Start-of-X) || AES_CTR(K, End-of-X) But as you'll notice, the AES-encrypted portion is unauthenticated and therefore malleable. It contains a portion of the g^x DH key. What this means is that an attacker who sees a v2 onion service's INTRODUCE1 cell can send a large number of corresponding INTRODUCE2 cells each containing a g^x that differs in the final bits. When the v2 onion service gets one of these altered cells, it will launch a connection to the same rendezvous point as before, with a different g^y, and a different KH. Because of this attack, in 0.2.3.4-alpha, we changed the replay cache so that it checks for replays in the RSA-encrypted (non-malleable) portion. For more info, see tor-spec.txt, section 0.4; rend-spec-v2.txt, sections 1.8 and 1.9. THE PROBLEM: In 471ab34032581e6631c23ee05a2b212e757bafab, when we refactored the v2 onion service code in Tor 0.2.4.1-alpha, we accidentally included this change. The critical part is the change in the length of data added checked: previously, it was only "keylen" -- the length of the RSA key. But now it's the whole ciphertext, when means that a modified version won't get detected as a replay. IMPACT: If an attacker can observe the rendezvous point, they can make the onion service make lots of connections to it -- but any attacker can already do that if they know the onion service's public key by sending their own INTRODUCE1 cells and picking a rendezvous point they control. (And in the v2 hs design, we should assume the attacker already knows the onion service's public key, because of directory crawling attacks.) FIX: Anyone who is running a v2 (old) hidden service should upgrade to one of the releases with the fix for this issue: 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or 0.3.2.6-alpha.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information