[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Is it desirable to prevent users from choosing their own circuits?

My understanding is that Tor user's are responsible (via their client)
for creating their own circuit, and that this is typically done at
random. However, are there any safeguards in place to ensure that it
is random, and would this be desirable? I would imagine that attackers
might try to choose specific circuits in order to learn more about
particular nodes, and the network in general. Would preventing this
behavior be helpful, and if so, would it be helpful enough to offset
any disadvantage it causes for legit users?

My idea is pretty simple. Instead of creating the circuit through
black-box means (relying on their local RNGs, for instance), the user
would create some seed value S, and then a list of random adjustment
values, R0, R1, R2,..., one for each relay in the circuit. The S value
would be used to enforce randomness in the circuit, but the R values
would be used to hide their circuit from relays as usual.

Creating the onion, the user would put a different R value into each
layer, encrypted for that relay, of course. To create the circuit,
they would take a hash of S+R0 to get the address of the first relay:
A1 = H(S+R0), and then hash this plus R1 to get the second relay: A2 =
H(H(S+R0)+R1)), and so on.

The user would now encrypt S for the first relay, and send that along
side the onion. This relay would get R0 from the onion, and then hash
S+R0 and confirm that the result points to their node, offering strong
evidence that the user did not choose them deliberately (since that
would require reversing the hash, which we'll assume is strong). Now
they can unwrap the onion as usual, and forward it to the next relay.
They would also encrypt H(S+R0) for this next relay, and send that
along side the side, so that relay can also confirm that they were not
chosen deliberately (by hashing H(S+R0) + R1), and so on until it
reaches the exit node. Each each stage, the relay can't get to the
R-value for the next node, so they only have part of the value that
will be hashed there, and they can't figure out where it will go from
there, ensuring forward privacy as usual.

Ok, just a little idea I had. Someone can go ahead and tell me now
that this is already being done, or why it's so obviously flawed that
it wouldn't work, or why it's so obviously flawed that it would be
devastating to legit users.


Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/