[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] (Draft) Proposal 224: Next-Generation Hidden Services in Tor

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] (Draft) Proposal 224: Next-Generation Hidden Services in Tor
From: Nick Mathewson <nickm@xxxxxxxxxxxx>
Date: Fri, 7 Mar 2014 11:51:22 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 07 Mar 2014 11:51:33 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=ny7TE+13CbDAA6LUbdge6krjHrfmNif0P00TubqctPs=; b=C1WscEh36bKYlhxGRtiCAQ6Wc8eggXYCKe3Q3/WqvGpAcsqQ+U/1OLDUbV5ozilDEg c3lcSMAh9p5SZ4+Cp/kKS8QIoAdbKlQVhucmmppC0eEt3M8T8KmALU82eeocV+BYyoar J5Utwtx/t8Jfrj80QTb8fnRD8esjBDGrSh90aGMTuSiPIwYD0iZntiyspVr6/4kwX7jm PNjSfzZbWQEMvR13fOdOz0Jnizlz25Gd78CoYpk5Np1sB0adGtGETC/CI2OzNXXcAtEE BlvdxfngSGR+xAA2sEHO43iAel44ACVg2kLVNkcLPBBp+xsCWSiIaC0rmwMXvSqOFyzS s0tQ==
In-reply-to: <87mwhwbdfc.fsf@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwcQ1y+Z1SXjDq4AoS8egwkW4tPf=3i98DnLU0bKqcXMQ@xxxxxxxxxxxxxx> <87mwhwbdfc.fsf@xxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Wed, Feb 12, 2014 at 9:42 AM, George Kadianakis <desnacked@xxxxxxxxxx> wrote:
> Nick Mathewson <nickm@xxxxxxxxxxxxxx> writes:
>
>> Hi, all!
>>
>> <snipz>
>>
>> 3.2.3. Legacy formats [LEGACY-INTRODUCE1]
>>
>>    When the ESTABLISH_INTRO cell format of [LEGACY_EST_INTRO] is used,
>>    INTRODUCE1 cells are of the form:
>>
>>      AUTH_KEYID_HASH  [20 bytes]
>>      ENC_KEYID        [8 bytes]
>>      Any number of times:
>>        EXT_FIELD_TYPE [1 byte]
>>        EXT_FIELD_LEN  [1 byte]
>>        EXT_FIELD      [EXTRA_FIELD_LEN bytes]
>>      ZERO             [1 byte]
>>      ENCRYPTED        [Up to end of relay payload]
>>
>
> What is this cell format?

I don't understand the question.

>  Is this supposed to match the format of the
> legacy INTRODUCE1 from rend-spec.txt?

No.  It's supposed to be compatible with it, though, to the extent
that the first bytes of the cell identify the key in use in both
cases.

I've added:
   (After checking AUTH_KEYID and ENC_KEYID and finding no match, the
   introduction point should check to see whether a legacy hidden service is
   running whose PK_ID is the first 20 bytes of AUTH_KEYID. If so, it
   behaves as in rend-spec.txt.)


>>    Here, AUTH_KEYID_HASH is the hash of the introduction point
>>    authentication key used to establish the introduction.
>>
>>    Because of limitations in older versions of Tor, the relay payload
>>    size for these INTRODUCE1 cells must always be at least 246 bytes, or
>>    they will be rejected as invalid.
>>
>> 3.3. Processing an INTRODUCE2 cell at the hidden service. [PROCESS_INTRO2]
>>
>>    Upon receiving an INTRODUCE2 cell, the hidden service host checks
>>    whether the AUTH_KEYID/AUTH_KEYID_HASH field and the ENC_KEYID fields
>>    are as expected, and match the configured authentication and
>>    encryption key(s) on that circuit.
>>
>>    The service host then checks whether it has received a cell with
>>    these contents before. If it has, it silently drops it as a
>>    replay. (It must maintain a replay cache for as long as it accepts
>>    cells with the same encryption key.)
>>
>
> Hm, which parts of the cell is the HS supposed to save in its replay
> cache? Is it the whole cell?

Yes.

> If it's the whole cell, should we be careful of the malleability of
> AES-CTR, where the IP can tweak a bit of the ciphertext and get past
> the replay cache?

Note that the new encryption mechanism is supposed to be
non-malleable; the MAC is supposed to cover all of the INTRODUCE1
cell.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] Some initial analysis on the new "Triple Handshake Attack" and Tor
Next by Author: [tor-dev] Weekly Tor dev meeting: Wednesday March 12, 20:00 UTC
Previous by thread: Re: [tor-dev] Hidden service search engine (GSoC)
Next by thread: Re: [tor-dev] Accessing hidden services with TAP or ntor
Index(es):
- Author
- Thread