[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: one less onion skin

On Tue, Mar 06, 2007 at 11:11:16PM -0500, James Muir wrote:
> A typical Tor circuit looks like
> OP -- OR1 -- OR2 -- OR3
> where the three "--" links are all TLS connections.  TLS protects the 
> OP's communications from adversaries outside the network, but another 
> layer of crypto (used inside TLS) is needed to protect them from the 
> onion routers themselves (e.g. we don't want OR1 to learn the identity 
> of OR3).  Thus, the onion proxy (OP) negotiates AES keys and MAC keys 
> with each onion router; call the AES keys k_1, k_2, k_3 and MAC keys 
> d_1, d_2, d_3.
> My question is this:  why bother with k_1 and d_1?  the communications 
> between OP and OR1 don't need to be protected from the other onion 
> routers.  I understand the reason for using k_2,d_2 and k_3,d_3, but 
> k_1,d_1 doesn't seem to be adding anything.

I asked just this question recently in another context. As you noted
in a later message CREATE_FAST allows us to avoid the handshake
(besides the one that formed the TLS link), so it's really just the
k_1, d_1. I suppose it's worth considering. My kneejerk response is
that (a) the overhead from this vs. everything else in Tor is very
small, and (b) maintaining it provides for a consistency and
flexibility should we want to change the protocol in some other ways,
and to quote Needham's oftquoting of I think Strachey "It's impossible
to foresee the consequences of one's own cleverness." by which Roger
usually meant that when we try to be too clever in removing things we
don't need we can get ourselves into trouble. On the other hand he
also said (with Martin Abadi in their Prudent Engineering Practices)
"Be clear about why encryption is being done. Encryption is not wholly
cheap, and not asking precisely why it is being done can lead to
redundancy. Encryption is not synonymous with security, and its
improper use can lead to errors." For me, I think this encryption is
cheap enough that (a) and (b) above win for the moment, but I could be