Changes between Initial Version and Version 1 of Ticket #24244

Dec 1, 2017, 1:59:06 PM (2 weeks ago)

Fixed in today's releases.


  • Ticket #24244

    • Property Status changed from assigned to closed
    • Property Resolution changed from to fixed
    • Property Summary changed from Fix TROVE-2017-009 to Fix TROVE-2017-009: Replay-cache ineffective for v2 hidden services.
  • Ticket #24244 – Description

    initial v1  
     2TROVE-2017-009: Replay-cache ineffective for v2 hidden services.
     4SEVERITY: Medium
     6ALSO TRACKED AS: CVE-2017-8819
     10  There's a possibility for a limited replay attack of INTRODUCE2 cells
     11  towards a legacy (v2) onion service.
     15  The hybrid-encryption algorithm we used for v2 onion services is
     16  somewhat malleable.  To encrypt the message X to a public key PK,
     17  clients generate a random AES key K, and then send
     19     RSA-OAEP(K || Start-of-X) || AES_CTR(K, End-of-X)
     21  But as you'll notice, the AES-encrypted portion is unauthenticated
     22  and therefore malleable.  It contains a portion of the g^x DH key.
     24  What this means is that an attacker who sees a v2 onion service's
     25  INTRODUCE1 cell can send a large number of corresponding INTRODUCE2
     26  cells each containing a g^x that differs in the final bits.  When
     27  the v2 onion service gets one of these altered cells, it will launch a
     28  connection to the same rendezvous point as before, with a different
     29  g^y, and a different KH.
     31  Because of this attack, in, we changed the replay
     32  cache so that it checks for replays in the RSA-encrypted
     33  (non-malleable) portion.
     35  For more info, see tor-spec.txt, section 0.4; rend-spec-v2.txt,
     36  sections 1.8 and 1.9.
     40  In 471ab34032581e6631c23ee05a2b212e757bafab, when we refactored the
     41  v2 onion service code in Tor, we accidentally
     42  included this change.
     44  The critical part is the change in the length of data added
     45  checked: previously, it was only "keylen" -- the length of the RSA
     46  key.  But now it's the whole ciphertext, when means that a
     47  modified version won't get detected as a replay.
     51  If an attacker can observe the rendezvous point, they can make the
     52  onion service make lots of connections to it -- but any attacker
     53  can already do that if they know the onion service's public key by
     54  sending their own INTRODUCE1 cells and picking a rendezvous point
     55  they control.  (And in the v2 hs design, we should assume the
     56  attacker already knows the onion service's public key, because of
     57  directory crawling attacks.)
     61  Anyone who is running a v2 (old) hidden service should upgrade to
     62  one of the releases with the fix for this issue:,,
     63,,, or