[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Diffie-Hellman question

On Wed, Jan 18, 2006 at 11:00:21PM -0500, Keith Needels wrote:
> Hello,
> I just read through the design paper (Tor: The Second Generation Onion 
> Router), and I have a quick question that I'm sure one of you can answer.
> I might be missing something obvious here, but if the first half of the 
> Diffie-Hellman key exchange sent with the Create/Relay Extend commands 
> is encrypted using RSA and the public key of the onion router in which 
> it is destined, why do Diffie-Hellman at all?  Why not just have our 
> Alice generate the AES key by herself, and send it down the circuit 
> encrypted with the destination OR's public key?

This has some similarity to the generation 0 and generation 1 designs
of onion routing. The problem is that if someone saved all the traffic
that went to that OR and then later broke or otherwise obtained the
private key, they could now get the AES key with which data between
Alice and that OR was encrypted. Using ephemeral DH gets us perfect
forward secrecy. I.e., this sort of attack won't work.