[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Diffie-Hellman question

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor Diffie-Hellman question
From: Paul Syverson <syverson@xxxxxxxxxxxxxxxx>
Date: Wed, 18 Jan 2006 23:10:01 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Wed, 18 Jan 2006 23:08:48 -0500
In-reply-to: <43CF0ED5.2020401@csh.rit.edu>
References: <43CF0ED5.2020401@csh.rit.edu>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.1i

On Wed, Jan 18, 2006 at 11:00:21PM -0500, Keith Needels wrote:
> Hello,
> 
> I just read through the design paper (Tor: The Second Generation Onion 
> Router), and I have a quick question that I'm sure one of you can answer.
> 
> I might be missing something obvious here, but if the first half of the 
> Diffie-Hellman key exchange sent with the Create/Relay Extend commands 
> is encrypted using RSA and the public key of the onion router in which 
> it is destined, why do Diffie-Hellman at all?  Why not just have our 
> Alice generate the AES key by herself, and send it down the circuit 
> encrypted with the destination OR's public key?
> 

This has some similarity to the generation 0 and generation 1 designs
of onion routing. The problem is that if someone saved all the traffic
that went to that OR and then later broke or otherwise obtained the
private key, they could now get the AES key with which data between
Alice and that OR was encrypted. Using ephemeral DH gets us perfect
forward secrecy. I.e., this sort of attack won't work.

HTH,
Paul

References:
- Tor Diffie-Hellman question
  - From: Keith Needels

Prev by Author: Re: IDS bells ringing
Next by Author: Re: benchmarking a node
Previous by thread: Tor Diffie-Hellman question
Next by thread: CodeCon program announced, early registration deadline nearing
Index(es):
- Author
- Thread