Michael Rogers wrote:
> If we're concerned with the server choosing its public material in such
> a way as to bias the entropy extraction, does that mean that in this
> case, the attacker is the server, and therefore the server's public
> material shouldn't be included in the salt?
In a one-way authenticated key exchange we only need to consider
adversaries that attempt to impersonate the server. So, yes, we're
considering the case where the attacker plays the server role and
we're saying that unauthenticated material from the server should
not be included in the salt.
Previous versions of prop269 included the server ephemeral shares
in the salt, we've removed those in this version.
The remaining values in the salt are:
- the server's identity digest,
- the server's onion key, and
- ephemeral shares from the client.
All of these values are authentic from the client's perspective.
Since we're not including the server shares in the salt, we also
had to switch from sending 'auth' to sending HMAC(auth, transcript)
in the server response.
tor-dev mailing list