On Fri, Jan 19, 2007 at 09:33:48PM -0800, Christian Seberino wrote: > *** ''Tearing down circuits'' section of spec had a sentence I like to > humbly ask clarification on... > > "The origin of a circuit always sets this error code to 0, to avoid > leaking its version." > > The origin must be an OP right? It is whatever process decided to create the circuit in the first place, and sent the first create cell. ORs can initiate circuits too, for various purposes including testing their OR ports. > If OP sets reason byte value (error code) to zero then how can ORs > propagate the right one? The ORs propagate the value they get in their destroy cells: 0. > And what does it mean 'leaking its version' ? Older versions of Tor didn't ever send versions in destroy cells. If newer clients included version information, that would be a giveaway that they were newer. In practice, there are sometimes other ways to distinguish a client's possible range of versions, but we try not to add them gratuitously. (Also, even if it weren't for the version issue, we probably wouldn't want circuit initiators to set a full range of destroy reasons: First, ORs shouldn't really care why they're tearing down a circuit; they should just do it when asked. Second, some of the error codes could conceivably tell an attacker something useful about the client.) > *** As cells travel along circuits, ORs decrypt them and send them along > (reencrypted) after analyzing the payloads right? Hence old encryption is > //replaced// with new encryption as cells move down circuit! So I don't > understand why OP needs to do multiple decryptions for every hop along > circuit. I think you're confused. There are two kinds of encryption that happen to cells. One (link encryption) happens at every step with TLS. This one is added to everything as it goes over the wire, and decrypted before anything happens to any cell. The purpose of link encryption is to prevent an adversary from seeing or altering cells as they pass from router to router. The other (circuit-based) encryption happens for relay cells at every step, using keys negotiated during circuit setup. ORs decrypt relay cells as they move away from the origin, and encrypt them as they move toward the origin -- never both. The OP (or whoever initiated the circuit) needs to have these keys so it can generate relay cells that will reach their destination properly, and so it can read the multiply-encrypted responses when they arrive. Circuit encryption needs to be done in multiple layers so that nobody but the circuit originator and the exit can see plaintext cell contents, and so that the cells look different at every step. I think this is documented on the website, and in tor-design.pdf. With any luck, it will make sense this time. peace, -- Nick Mathewson
Attachment:
pgpCcZEFl3CNE.pgp
Description: PGP signature